Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsIdentity and Access Management
CISSPFree — No Signup

Identity and Access Management

Practice CISSP Identity and Access Management questions with full explanations on every answer.

68questions

Start practicing

Identity and Access Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice Identity and Access Management questions

10Q20Q30Q50Q

All CISSP Identity and Access Management questions (68)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?

2

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

3

An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?

4

A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?

5

A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?

6

A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?

7

An organization uses OAuth 2.0 for delegated access to APIs. A developer creates a public client application that runs on mobile devices. Which OAuth 2.0 grant type is MOST appropriate for this scenario?

8

Which TWO of the following are valid methods to enforce separation of duties in an access control system?

9

Which THREE of the following are characteristics of a federated identity management system?

10

Which TWO of the following are types of access control models?

11

Refer to the exhibit. A user reports they cannot authenticate to a web application after receiving a new token. The error log shows the above entries. Which of the following is the MOST likely cause?

12

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

13

A medium-sized financial services company recently deployed a new identity governance and administration (IGA) solution to manage user access across on-premises Active Directory and cloud-based SaaS applications. The IGA system uses a role-based access control (RBAC) model with hundreds of roles defined. The company has a policy that all access certifications must be completed quarterly. During the first quarterly certification, the access reviewers complain that they are overwhelmed by the number of entitlements they need to review, and many certifications are not completed on time. The security team also notices that some users have accumulated excessive privileges because role assignments were not properly reviewed. The company wants to streamline the certification process without sacrificing security. Which of the following is the BEST course of action?

14

Drag and drop the steps for implementing a digital signature using asymmetric cryptography in the correct order.

15

Match each access control type to its description.

16

A company requires employees to authenticate using a smart card and PIN to access the corporate network. This is an example of which type of authentication?

17

A security architect is designing access controls for a healthcare application where permissions are based on the user's role, the sensitivity of the data, and the context of the access (e.g., time of day). Which access control model best fits this requirement?

18

An organization is implementing federated identity to allow partners to access its web application. The solution must support single logout and attribute exchange. Which protocol is most appropriate?

19

A system administrator notices that user accounts are often left active after employees leave the company. Which process should be automated to address this?

20

An organization's security policy requires that privileged accounts have their passwords changed every 30 days and be monitored. Which solution effectively manages these requirements?

21

During an audit, it is discovered that several users have inherited permissions through nested group memberships that violate least privilege. What is the best approach to correct this?

22

A company wants employees to access multiple SaaS applications using a single set of credentials. Which technology should be deployed?

23

An organization is implementing biometric authentication. Which factor should be considered to minimize the false rejection rate?

24

A security engineer is troubleshooting an authentication failure for a Windows domain user. The user receives 'Access denied' when trying to access a file server. The Kerberos ticket-granting ticket was successfully obtained. What is the most likely issue?

25

Which TWO principles are essential for implementing least privilege in identity and access management?

26

Which TWO protocols are commonly used for identity federation?

27

Which THREE access control models support the principle of least privilege?

28

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission when the user attempts to read the object 'confidential/report.pdf'?

29

Refer to the exhibit. A RADIUS server log shows multiple successful authentications for the same user followed by failures. What is the most likely cause?

30

Refer to the exhibit. A SAML response is received by the service provider. Which security issue is present?

31

A company implements a centralized authentication system using RADIUS for network devices. The security team notices that after a user's password is changed in Active Directory, the user can still authenticate to network devices using the old password for up to 30 minutes. What is the most likely cause?

32

An organization uses a custom application that stores user passwords using salted SHA-256 hashes. During a security audit, the auditor recommends migrating to a more secure password storage mechanism. Which of the following is the best recommendation?

33

A user reports that they cannot access a file share after being moved to a different department. The file share is secured with NTFS permissions and share permissions. The user is a member of the 'Marketing' group, but the file share is only accessible by 'Sales' group. What is the most likely reason?

34

A security administrator is configuring role-based access control (RBAC) for a cloud storage system. Which of the following is the best practice for assigning permissions?

35

An organization uses a federated identity system with SAML. A new service provider (SP) is added, but users cannot authenticate. The identity provider (IdP) logs show that the SAML response is signed correctly, but the SP rejects it. What is the most likely issue?

36

A password policy requires passwords to be at least 12 characters, with uppercase, lowercase, digits, and special characters. Which of the following is an example of a password that meets the policy?

37

A company uses smart cards for authentication to workstations. A user inserts their smart card but is prompted for a PIN. The user enters the correct PIN but authentication fails. The smart card is not expired. What is the most likely cause?

38

An organization is implementing a privileged access management (PAM) solution for managing administrative credentials. Which of the following is the most critical control to prevent credential theft?

39

An auditor finds that a system uses the same service account for multiple applications. Which risk does this pose?

40

When implementing a federated identity management system, which TWO components are essential for establishing trust between Identity Provider and Service Provider? (Select two.)

41

Which TWO of the following are considered the primary access control models in the context of the CISSP? (Select two.)

42

A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)

43

Refer to the exhibit. An organization attaches this IAM policy to a user. What is a key security limitation of this policy?

44

Refer to the exhibit. A user has obtained a Kerberos ticket. What does the presence of two service principals indicate?

45

Refer to the exhibit. The PAM configuration shows pam_tally2.so with deny=5 and unlock_time=300. What is the effect of this configuration?

46

A user calls the help desk because they cannot log in. The help desk technician confirms the user's identity by asking for their employee ID and mother's maiden name. Which of the following is the MOST significant security issue with this practice?

47

A company is implementing single sign-on (SSO) for its cloud applications. The security team wants to ensure that user authentication is handled by an on-premises identity provider (IdP) using Security Assertion Markup Language (SAML). Which of the following is a critical configuration step to prevent session hijacking?

48

An organization uses a role-based access control (RBAC) model. After an audit, it was discovered that users have accumulated excessive permissions due to role proliferation. The security architect proposes migrating to an attribute-based access control (ABAC) model. Which challenge is MOST likely to be encountered during this migration?

49

A system administrator is configuring an LDAP directory for user authentication. The policy requires that account lockout occurs after a specified number of failed attempts. Which attribute should be configured?

50

A security engineer is troubleshooting an issue where users are unable to access a web application after being authenticated via OAuth 2.0. The users receive a 403 Forbidden error. The application logs show that the access token is valid but does not contain the required scope. What is the most likely cause?

51

An organization uses a federated identity model with multiple external partners. The identity provider (IdP) notices that some partners are sending outdated SAML assertions. What is the best way to mitigate this issue?

52

A company's help desk receives many requests from users who have forgotten their passwords. Which solution is MOST effective in reducing these requests while maintaining security?

53

During a security assessment, it is found that service accounts have interactive logon rights. What is the BEST remediation?

54

A company is designing an access control system for a highly sensitive database. They want to ensure that only authorized users can access data, and that access is automatically revoked when the user's context changes (e.g., job role change). Which model BEST meets these requirements?

55

Which TWO are examples of 'something you know' authentication factors?

56

Which TWO are security benefits of using a federated identity model?

57

Which THREE are components of a privileged access management (PAM) solution?

58

Refer to the exhibit. A user in the 10.1.0.0/16 range attempts to retrieve the object s3://example-bucket/secret/top_secret.pdf. What will be the result?

59

Refer to the exhibit. A user is unable to authenticate using Kerberos. What is the most likely cause?

60

A financial services company with 5000 employees uses a hybrid identity model with on-premises Active Directory (AD) synchronized to Azure AD via Azure AD Connect. The company has recently deployed Microsoft 365 and uses it for email and file sharing. Users authenticate to Azure AD using password hash synchronization (PHS) with Seamless Single Sign-On (SSO). The security team has implemented Conditional Access policies to require multi-factor authentication (MFA) for all external access and for access to sensitive financial applications. Recently, the help desk has received numerous complaints from users working remotely that they are frequently prompted for MFA, even multiple times during a single work session, causing frustration and productivity loss. Additionally, some users report that they are unable to access certain financial applications despite being in the correct group membership. An investigation reveals that Azure AD Connect synchronization is occurring successfully and that MFA configurations appear correct. The security team suspects that the issue may be related to the Conditional Access session settings or token lifetimes. What is the BEST course of action to diagnose and resolve the primary issue of excessive MFA prompts while maintaining security?

61

An organization plans to allow employees to access third-party SaaS applications using their corporate credentials. Which THREE are necessary components for implementing SAML-based identity federation?

62

A large enterprise uses Active Directory for authentication. Several users report intermittent authentication failures when accessing internal web applications. The help desk confirms that the failures occur at random times and affect both new and existing users. The security team discovers that the system clocks on domain controllers are within acceptable limits, but some client workstations show time drift of up to 10 minutes. The Kerberos protocol is used for authentication. What is the most likely cause of the authentication failures, and what action should be taken?

63

A hospital is implementing an access control system for its electronic health record (EHR) application. The system must ensure that only authorized healthcare providers can access patient records based on their role (doctor, nurse, administrator), department (cardiology, oncology, etc.), and patient consent status. The hospital also needs to support break-the-glass access for emergencies. The current solution uses static role-based access control (RBAC) but fails to enforce department-level restrictions and consent checks. What is the most appropriate access control model to address these requirements?

64

A financial services firm recently deployed a multi-factor authentication (MFA) solution for remote access to its trading platform. The MFA requires a one-time password (OTP) via a mobile app, in addition to a username and password. Since deployment, remote traders have complained that the authentication process takes too long, especially during market open hours. The help desk reports that many traders are accidentally locking their accounts due to multiple failed OTP attempts. The security team wants to maintain strong security but improve user experience. Which action should the security team take?

65

A multinational corporation has experienced several security incidents where terminated employees retained access to internal systems for weeks after their departure. The HR department manually terminates accounts by sending notifications to IT, but the process is often delayed or missed. The company uses an identity management system (IDM) that supports automated provisioning and deprovisioning. The security team is tasked with reducing the risk of unauthorized access by former employees. Which of the following is the most effective course of action?

66

An organization wants to implement single sign-on (SSO) for multiple cloud applications. Which of the following is the most secure and scalable approach?

67

Refer to the exhibit. Which TWO statements about this IAM policy are true?

68

A financial institution mandates that all administrative access to network devices must go through a privileged access management (PAM) solution. The PAM solution manages and rotates credentials automatically and logs all sessions. Recently, an auditor discovered that a router's configuration was changed outside of the approved change window. PAM logs show no session during that time. The router supports both local and RADIUS authentication. Which of the following is the MOST likely explanation for the unauthorized change?

Practice all 68 Identity and Access Management questions

Other CISSP exam domains

Software Development SecuritySecurity Assessment and TestingSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Frequently asked questions

What does the Identity and Access Management domain cover on the CISSP exam?

The Identity and Access Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Identity and Access Management questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 68 questions in the Identity and Access Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Identity and Access Management for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Identity and Access Management questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Identity and Access Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM