Practice CISSP Identity and Access Management questions with full explanations on every answer.
Start practicing
Identity and Access Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?
2A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?
3An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?
4A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?
5A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?
6A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?
7An organization uses OAuth 2.0 for delegated access to APIs. A developer creates a public client application that runs on mobile devices. Which OAuth 2.0 grant type is MOST appropriate for this scenario?
8Which TWO of the following are valid methods to enforce separation of duties in an access control system?
9Which THREE of the following are characteristics of a federated identity management system?
10Which TWO of the following are types of access control models?
11Refer to the exhibit. A user reports they cannot authenticate to a web application after receiving a new token. The error log shows the above entries. Which of the following is the MOST likely cause?
12Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?
13A medium-sized financial services company recently deployed a new identity governance and administration (IGA) solution to manage user access across on-premises Active Directory and cloud-based SaaS applications. The IGA system uses a role-based access control (RBAC) model with hundreds of roles defined. The company has a policy that all access certifications must be completed quarterly. During the first quarterly certification, the access reviewers complain that they are overwhelmed by the number of entitlements they need to review, and many certifications are not completed on time. The security team also notices that some users have accumulated excessive privileges because role assignments were not properly reviewed. The company wants to streamline the certification process without sacrificing security. Which of the following is the BEST course of action?
14Drag and drop the steps for implementing a digital signature using asymmetric cryptography in the correct order.
15Match each access control type to its description.
16A company requires employees to authenticate using a smart card and PIN to access the corporate network. This is an example of which type of authentication?
17A security architect is designing access controls for a healthcare application where permissions are based on the user's role, the sensitivity of the data, and the context of the access (e.g., time of day). Which access control model best fits this requirement?
18An organization is implementing federated identity to allow partners to access its web application. The solution must support single logout and attribute exchange. Which protocol is most appropriate?
19A system administrator notices that user accounts are often left active after employees leave the company. Which process should be automated to address this?
20An organization's security policy requires that privileged accounts have their passwords changed every 30 days and be monitored. Which solution effectively manages these requirements?
21During an audit, it is discovered that several users have inherited permissions through nested group memberships that violate least privilege. What is the best approach to correct this?
22A company wants employees to access multiple SaaS applications using a single set of credentials. Which technology should be deployed?
23An organization is implementing biometric authentication. Which factor should be considered to minimize the false rejection rate?
24A security engineer is troubleshooting an authentication failure for a Windows domain user. The user receives 'Access denied' when trying to access a file server. The Kerberos ticket-granting ticket was successfully obtained. What is the most likely issue?
25Which TWO principles are essential for implementing least privilege in identity and access management?
26Which TWO protocols are commonly used for identity federation?
27Which THREE access control models support the principle of least privilege?
28Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission when the user attempts to read the object 'confidential/report.pdf'?
29Refer to the exhibit. A RADIUS server log shows multiple successful authentications for the same user followed by failures. What is the most likely cause?
30Refer to the exhibit. A SAML response is received by the service provider. Which security issue is present?
31A company implements a centralized authentication system using RADIUS for network devices. The security team notices that after a user's password is changed in Active Directory, the user can still authenticate to network devices using the old password for up to 30 minutes. What is the most likely cause?
32An organization uses a custom application that stores user passwords using salted SHA-256 hashes. During a security audit, the auditor recommends migrating to a more secure password storage mechanism. Which of the following is the best recommendation?
33A user reports that they cannot access a file share after being moved to a different department. The file share is secured with NTFS permissions and share permissions. The user is a member of the 'Marketing' group, but the file share is only accessible by 'Sales' group. What is the most likely reason?
34A security administrator is configuring role-based access control (RBAC) for a cloud storage system. Which of the following is the best practice for assigning permissions?
35An organization uses a federated identity system with SAML. A new service provider (SP) is added, but users cannot authenticate. The identity provider (IdP) logs show that the SAML response is signed correctly, but the SP rejects it. What is the most likely issue?
36A password policy requires passwords to be at least 12 characters, with uppercase, lowercase, digits, and special characters. Which of the following is an example of a password that meets the policy?
37A company uses smart cards for authentication to workstations. A user inserts their smart card but is prompted for a PIN. The user enters the correct PIN but authentication fails. The smart card is not expired. What is the most likely cause?
38An organization is implementing a privileged access management (PAM) solution for managing administrative credentials. Which of the following is the most critical control to prevent credential theft?
39An auditor finds that a system uses the same service account for multiple applications. Which risk does this pose?
40When implementing a federated identity management system, which TWO components are essential for establishing trust between Identity Provider and Service Provider? (Select two.)
41Which TWO of the following are considered the primary access control models in the context of the CISSP? (Select two.)
42A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)
43Refer to the exhibit. An organization attaches this IAM policy to a user. What is a key security limitation of this policy?
44Refer to the exhibit. A user has obtained a Kerberos ticket. What does the presence of two service principals indicate?
45Refer to the exhibit. The PAM configuration shows pam_tally2.so with deny=5 and unlock_time=300. What is the effect of this configuration?
46A user calls the help desk because they cannot log in. The help desk technician confirms the user's identity by asking for their employee ID and mother's maiden name. Which of the following is the MOST significant security issue with this practice?
47A company is implementing single sign-on (SSO) for its cloud applications. The security team wants to ensure that user authentication is handled by an on-premises identity provider (IdP) using Security Assertion Markup Language (SAML). Which of the following is a critical configuration step to prevent session hijacking?
48An organization uses a role-based access control (RBAC) model. After an audit, it was discovered that users have accumulated excessive permissions due to role proliferation. The security architect proposes migrating to an attribute-based access control (ABAC) model. Which challenge is MOST likely to be encountered during this migration?
49A system administrator is configuring an LDAP directory for user authentication. The policy requires that account lockout occurs after a specified number of failed attempts. Which attribute should be configured?
50A security engineer is troubleshooting an issue where users are unable to access a web application after being authenticated via OAuth 2.0. The users receive a 403 Forbidden error. The application logs show that the access token is valid but does not contain the required scope. What is the most likely cause?
51An organization uses a federated identity model with multiple external partners. The identity provider (IdP) notices that some partners are sending outdated SAML assertions. What is the best way to mitigate this issue?
52A company's help desk receives many requests from users who have forgotten their passwords. Which solution is MOST effective in reducing these requests while maintaining security?
53During a security assessment, it is found that service accounts have interactive logon rights. What is the BEST remediation?
54A company is designing an access control system for a highly sensitive database. They want to ensure that only authorized users can access data, and that access is automatically revoked when the user's context changes (e.g., job role change). Which model BEST meets these requirements?
55Which TWO are examples of 'something you know' authentication factors?
56Which TWO are security benefits of using a federated identity model?
57Which THREE are components of a privileged access management (PAM) solution?
58Refer to the exhibit. A user in the 10.1.0.0/16 range attempts to retrieve the object s3://example-bucket/secret/top_secret.pdf. What will be the result?
59Refer to the exhibit. A user is unable to authenticate using Kerberos. What is the most likely cause?
60A financial services company with 5000 employees uses a hybrid identity model with on-premises Active Directory (AD) synchronized to Azure AD via Azure AD Connect. The company has recently deployed Microsoft 365 and uses it for email and file sharing. Users authenticate to Azure AD using password hash synchronization (PHS) with Seamless Single Sign-On (SSO). The security team has implemented Conditional Access policies to require multi-factor authentication (MFA) for all external access and for access to sensitive financial applications. Recently, the help desk has received numerous complaints from users working remotely that they are frequently prompted for MFA, even multiple times during a single work session, causing frustration and productivity loss. Additionally, some users report that they are unable to access certain financial applications despite being in the correct group membership. An investigation reveals that Azure AD Connect synchronization is occurring successfully and that MFA configurations appear correct. The security team suspects that the issue may be related to the Conditional Access session settings or token lifetimes. What is the BEST course of action to diagnose and resolve the primary issue of excessive MFA prompts while maintaining security?
61An organization plans to allow employees to access third-party SaaS applications using their corporate credentials. Which THREE are necessary components for implementing SAML-based identity federation?
62A large enterprise uses Active Directory for authentication. Several users report intermittent authentication failures when accessing internal web applications. The help desk confirms that the failures occur at random times and affect both new and existing users. The security team discovers that the system clocks on domain controllers are within acceptable limits, but some client workstations show time drift of up to 10 minutes. The Kerberos protocol is used for authentication. What is the most likely cause of the authentication failures, and what action should be taken?
63A hospital is implementing an access control system for its electronic health record (EHR) application. The system must ensure that only authorized healthcare providers can access patient records based on their role (doctor, nurse, administrator), department (cardiology, oncology, etc.), and patient consent status. The hospital also needs to support break-the-glass access for emergencies. The current solution uses static role-based access control (RBAC) but fails to enforce department-level restrictions and consent checks. What is the most appropriate access control model to address these requirements?
64A financial services firm recently deployed a multi-factor authentication (MFA) solution for remote access to its trading platform. The MFA requires a one-time password (OTP) via a mobile app, in addition to a username and password. Since deployment, remote traders have complained that the authentication process takes too long, especially during market open hours. The help desk reports that many traders are accidentally locking their accounts due to multiple failed OTP attempts. The security team wants to maintain strong security but improve user experience. Which action should the security team take?
65A multinational corporation has experienced several security incidents where terminated employees retained access to internal systems for weeks after their departure. The HR department manually terminates accounts by sending notifications to IT, but the process is often delayed or missed. The company uses an identity management system (IDM) that supports automated provisioning and deprovisioning. The security team is tasked with reducing the risk of unauthorized access by former employees. Which of the following is the most effective course of action?
66An organization wants to implement single sign-on (SSO) for multiple cloud applications. Which of the following is the most secure and scalable approach?
67Refer to the exhibit. Which TWO statements about this IAM policy are true?
68A financial institution mandates that all administrative access to network devices must go through a privileged access management (PAM) solution. The PAM solution manages and rotates credentials automatically and logs all sessions. Recently, an auditor discovered that a router's configuration was changed outside of the approved change window. PAM logs show no session during that time. The router supports both local and RADIUS authentication. Which of the following is the MOST likely explanation for the unauthorized change?
The Identity and Access Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 68 questions in the Identity and Access Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Identity and Access Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included