Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Identity and Access Management practice sets

CISSP Identity and Access Management • Complete Question Bank

CISSP Identity and Access Management — All Questions With Answers

Complete CISSP Identity and Access Management question bank — all 0 questions with answers and detailed explanations.

68
Questions
Free
No signup
Certifications/CISSP/Practice Test/Identity and Access Management/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

Question 3easymultiple choice
Read the full Identity and Access Management explanation →

An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?

Question 4mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?

Question 5hardmultiple choice
Read the full Identity and Access Management explanation →

A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?

Question 6easymultiple choice
Read the full NAT/PAT explanation →

A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?

Question 7mediummultiple choice
Read the full Identity and Access Management explanation →

An organization uses OAuth 2.0 for delegated access to APIs. A developer creates a public client application that runs on mobile devices. Which OAuth 2.0 grant type is MOST appropriate for this scenario?

Question 8hardmulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are valid methods to enforce separation of duties in an access control system?

Question 9mediummulti select
Read the full Identity and Access Management explanation →

Which THREE of the following are characteristics of a federated identity management system?

Question 10easymulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are types of access control models?

Question 11mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A user reports they cannot authenticate to a web application after receiving a new token. The error log shows the above entries. Which of the following is the MOST likely cause?

Exhibit

Refer to the exhibit.

Error Log:
2024-05-20 14:23:01 ERROR [com.example.auth] Authentication failed for user 'jsmith' from IP 192.168.1.100: Invalid token signature
2024-05-20 14:23:01 ERROR [com.example.auth] Token validation failed: JWT signature does not match locally computed signature
Question 12hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

Exhibit

Refer to the exhibit.

Active Directory Group Policy Result:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment:
- Allow log on locally: Administrators, Users
- Deny log on locally: (empty)
- Allow log on through Remote Desktop Services: Administrators
- Deny log on through Remote Desktop Services: (empty)

Effective Access for user 'jdoe' (member of Domain Users):
- Log on locally: Denied (via membership in 'Remote Desktop Users' group? No)
- Log on through RDP: Not explicitly allowed or denied.
Question 13hardmultiple choice
Read the full Identity and Access Management explanation →

A medium-sized financial services company recently deployed a new identity governance and administration (IGA) solution to manage user access across on-premises Active Directory and cloud-based SaaS applications. The IGA system uses a role-based access control (RBAC) model with hundreds of roles defined. The company has a policy that all access certifications must be completed quarterly. During the first quarterly certification, the access reviewers complain that they are overwhelmed by the number of entitlements they need to review, and many certifications are not completed on time. The security team also notices that some users have accumulated excessive privileges because role assignments were not properly reviewed. The company wants to streamline the certification process without sacrificing security. Which of the following is the BEST course of action?

Question 14mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps for implementing a digital signature using asymmetric cryptography in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Read the full Identity and Access Management explanation →

Match each access control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner controls access permissions

System-enforced based on labels

Access based on job roles

Access based on rules and policies

Question 16easymultiple choice
Read the full Identity and Access Management explanation →

A company requires employees to authenticate using a smart card and PIN to access the corporate network. This is an example of which type of authentication?

Question 17mediummultiple choice
Read the full Identity and Access Management explanation →

A security architect is designing access controls for a healthcare application where permissions are based on the user's role, the sensitivity of the data, and the context of the access (e.g., time of day). Which access control model best fits this requirement?

Question 18hardmultiple choice
Read the full Identity and Access Management explanation →

An organization is implementing federated identity to allow partners to access its web application. The solution must support single logout and attribute exchange. Which protocol is most appropriate?

Question 19easymultiple choice
Read the full Identity and Access Management explanation →

A system administrator notices that user accounts are often left active after employees leave the company. Which process should be automated to address this?

Question 20mediummultiple choice
Read the full Identity and Access Management explanation →

An organization's security policy requires that privileged accounts have their passwords changed every 30 days and be monitored. Which solution effectively manages these requirements?

Question 21hardmultiple choice
Read the full Identity and Access Management explanation →

During an audit, it is discovered that several users have inherited permissions through nested group memberships that violate least privilege. What is the best approach to correct this?

Question 22easymultiple choice
Read the full Identity and Access Management explanation →

A company wants employees to access multiple SaaS applications using a single set of credentials. Which technology should be deployed?

Question 23mediummultiple choice
Read the full Identity and Access Management explanation →

An organization is implementing biometric authentication. Which factor should be considered to minimize the false rejection rate?

Question 24hardmultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an authentication failure for a Windows domain user. The user receives 'Access denied' when trying to access a file server. The Kerberos ticket-granting ticket was successfully obtained. What is the most likely issue?

Question 25easymulti select
Read the full Identity and Access Management explanation →

Which TWO principles are essential for implementing least privilege in identity and access management?

Question 26mediummulti select
Read the full Identity and Access Management explanation →

Which TWO protocols are commonly used for identity federation?

Question 27hardmulti select
Read the full Identity and Access Management explanation →

Which THREE access control models support the principle of least privilege?

Question 28easymultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission when the user attempts to read the object 'confidential/report.pdf'?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::examplebucket/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/confidential/*"
    }
  ]
}
Question 29mediummultiple choice
Study the full AAA explanation →

Refer to the exhibit. A RADIUS server log shows multiple successful authentications for the same user followed by failures. What is the most likely cause?

Exhibit

Fri Jun 21 14:23:45 2024
  Auth: (0) Login OK: [testuser] (from client client1 port 0)
  Auth: (0) Login OK: [testuser] (from client client1 port 0)
  Auth: (0) Login OK: [testuser] (from client client1 port 0)
  Auth: (0) Login OK: [testuser] (from client client1 port 0)
  Auth: (0) Login: [testuser] (from client client1 port 0) FAILED: invalid password
  Auth: (0) Login: [testuser] (from client client1 port 0) FAILED: invalid password
  Auth: (0) Login: [testuser] (from client client1 port 0) FAILED: invalid password
Question 30hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A SAML response is received by the service provider. Which security issue is present?

Exhibit

<samlp:Response>
  <saml:Assertion>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
    </saml:Subject>
    <saml:Conditions NotBefore="2024-06-21T00:00:00Z" NotOnOrAfter="2024-06-21T01:00:00Z"/>
    <saml:AttributeStatement>
      <saml:Attribute Name="role">
        <saml:AttributeValue>admin</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
Question 31mediummultiple choice
Study the full AAA explanation →

A company implements a centralized authentication system using RADIUS for network devices. The security team notices that after a user's password is changed in Active Directory, the user can still authenticate to network devices using the old password for up to 30 minutes. What is the most likely cause?

Question 32hardmultiple choice
Read the full Identity and Access Management explanation →

An organization uses a custom application that stores user passwords using salted SHA-256 hashes. During a security audit, the auditor recommends migrating to a more secure password storage mechanism. Which of the following is the best recommendation?

Question 33easymultiple choice
Read the full Identity and Access Management explanation →

A user reports that they cannot access a file share after being moved to a different department. The file share is secured with NTFS permissions and share permissions. The user is a member of the 'Marketing' group, but the file share is only accessible by 'Sales' group. What is the most likely reason?

Question 34mediummultiple choice
Read the full Identity and Access Management explanation →

A security administrator is configuring role-based access control (RBAC) for a cloud storage system. Which of the following is the best practice for assigning permissions?

Question 35hardmultiple choice
Read the full Identity and Access Management explanation →

An organization uses a federated identity system with SAML. A new service provider (SP) is added, but users cannot authenticate. The identity provider (IdP) logs show that the SAML response is signed correctly, but the SP rejects it. What is the most likely issue?

Question 36easymultiple choice
Read the full Identity and Access Management explanation →

A password policy requires passwords to be at least 12 characters, with uppercase, lowercase, digits, and special characters. Which of the following is an example of a password that meets the policy?

Question 37mediummultiple choice
Read the full Identity and Access Management explanation →

A company uses smart cards for authentication to workstations. A user inserts their smart card but is prompted for a PIN. The user enters the correct PIN but authentication fails. The smart card is not expired. What is the most likely cause?

Question 38hardmultiple choice
Read the full Identity and Access Management explanation →

An organization is implementing a privileged access management (PAM) solution for managing administrative credentials. Which of the following is the most critical control to prevent credential theft?

Question 39easymultiple choice
Read the full Identity and Access Management explanation →

An auditor finds that a system uses the same service account for multiple applications. Which risk does this pose?

Question 40mediummulti select
Read the full Identity and Access Management explanation →

When implementing a federated identity management system, which TWO components are essential for establishing trust between Identity Provider and Service Provider? (Select two.)

Question 41easymulti select
Read the full Identity and Access Management explanation →

Which TWO of the following are considered the primary access control models in the context of the CISSP? (Select two.)

Question 42hardmulti select
Read the full Identity and Access Management explanation →

A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)

Question 43mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. An organization attaches this IAM policy to a user. What is a key security limitation of this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 44easymultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A user has obtained a Kerberos ticket. What does the presence of two service principals indicate?

Exhibit

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@EXAMPLE.COM

Valid starting       Expires              Service principal
01/01/2024 08:00:00  01/01/2024 18:00:00  krbtgt/EXAMPLE.COM@EXAMPLE.COM
01/01/2024 08:00:00  01/01/2024 18:00:00  HTTP/server.example.com@EXAMPLE.COM
Question 45hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. The PAM configuration shows pam_tally2.so with deny=5 and unlock_time=300. What is the effect of this configuration?

Exhibit

auth required pam_unix.so
auth required pam_tally2.so deny=5 unlock_time=300
account required pam_unix.so
Question 46easymultiple choice
Read the full Identity and Access Management explanation →

A user calls the help desk because they cannot log in. The help desk technician confirms the user's identity by asking for their employee ID and mother's maiden name. Which of the following is the MOST significant security issue with this practice?

Question 47mediummultiple choice
Read the full Identity and Access Management explanation →

A company is implementing single sign-on (SSO) for its cloud applications. The security team wants to ensure that user authentication is handled by an on-premises identity provider (IdP) using Security Assertion Markup Language (SAML). Which of the following is a critical configuration step to prevent session hijacking?

Question 48hardmultiple choice
Read the full Identity and Access Management explanation →

An organization uses a role-based access control (RBAC) model. After an audit, it was discovered that users have accumulated excessive permissions due to role proliferation. The security architect proposes migrating to an attribute-based access control (ABAC) model. Which challenge is MOST likely to be encountered during this migration?

Question 49easymultiple choice
Read the full Identity and Access Management explanation →

A system administrator is configuring an LDAP directory for user authentication. The policy requires that account lockout occurs after a specified number of failed attempts. Which attribute should be configured?

Question 50mediummultiple choice
Read the full Identity and Access Management explanation →

A security engineer is troubleshooting an issue where users are unable to access a web application after being authenticated via OAuth 2.0. The users receive a 403 Forbidden error. The application logs show that the access token is valid but does not contain the required scope. What is the most likely cause?

Question 51hardmultiple choice
Read the full Identity and Access Management explanation →

An organization uses a federated identity model with multiple external partners. The identity provider (IdP) notices that some partners are sending outdated SAML assertions. What is the best way to mitigate this issue?

Question 52easymultiple choice
Read the full Identity and Access Management explanation →

A company's help desk receives many requests from users who have forgotten their passwords. Which solution is MOST effective in reducing these requests while maintaining security?

Question 53mediummultiple choice
Read the full Identity and Access Management explanation →

During a security assessment, it is found that service accounts have interactive logon rights. What is the BEST remediation?

Question 54hardmultiple choice
Read the full Identity and Access Management explanation →

A company is designing an access control system for a highly sensitive database. They want to ensure that only authorized users can access data, and that access is automatically revoked when the user's context changes (e.g., job role change). Which model BEST meets these requirements?

Question 55easymulti select
Read the full Identity and Access Management explanation →

Which TWO are examples of 'something you know' authentication factors?

Question 56mediummulti select
Read the full Identity and Access Management explanation →

Which TWO are security benefits of using a federated identity model?

Question 57hardmulti select
Read the full Identity and Access Management explanation →

Which THREE are components of a privileged access management (PAM) solution?

Question 58mediummultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A user in the 10.1.0.0/16 range attempts to retrieve the object s3://example-bucket/secret/top_secret.pdf. What will be the result?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/secret/*"
    }
  ]
}
Question 59hardmultiple choice
Read the full Identity and Access Management explanation →

Refer to the exhibit. A user is unable to authenticate using Kerberos. What is the most likely cause?

Exhibit

Event ID: 4771
Account Name: jdoe@DOMAIN.COM
Failure Code: 0x18
Source: Microsoft-Windows-Security-Auditing
Question 60hardmultiple choice
Read the full Identity and Access Management explanation →

A financial services company with 5000 employees uses a hybrid identity model with on-premises Active Directory (AD) synchronized to Azure AD via Azure AD Connect. The company has recently deployed Microsoft 365 and uses it for email and file sharing. Users authenticate to Azure AD using password hash synchronization (PHS) with Seamless Single Sign-On (SSO). The security team has implemented Conditional Access policies to require multi-factor authentication (MFA) for all external access and for access to sensitive financial applications. Recently, the help desk has received numerous complaints from users working remotely that they are frequently prompted for MFA, even multiple times during a single work session, causing frustration and productivity loss. Additionally, some users report that they are unable to access certain financial applications despite being in the correct group membership. An investigation reveals that Azure AD Connect synchronization is occurring successfully and that MFA configurations appear correct. The security team suspects that the issue may be related to the Conditional Access session settings or token lifetimes. What is the BEST course of action to diagnose and resolve the primary issue of excessive MFA prompts while maintaining security?

Question 61easymulti select
Read the full Identity and Access Management explanation →

An organization plans to allow employees to access third-party SaaS applications using their corporate credentials. Which THREE are necessary components for implementing SAML-based identity federation?

Question 62easymultiple choice
Read the full Identity and Access Management explanation →

A large enterprise uses Active Directory for authentication. Several users report intermittent authentication failures when accessing internal web applications. The help desk confirms that the failures occur at random times and affect both new and existing users. The security team discovers that the system clocks on domain controllers are within acceptable limits, but some client workstations show time drift of up to 10 minutes. The Kerberos protocol is used for authentication. What is the most likely cause of the authentication failures, and what action should be taken?

Question 63mediummultiple choice
Read the full NAT/PAT explanation →

A hospital is implementing an access control system for its electronic health record (EHR) application. The system must ensure that only authorized healthcare providers can access patient records based on their role (doctor, nurse, administrator), department (cardiology, oncology, etc.), and patient consent status. The hospital also needs to support break-the-glass access for emergencies. The current solution uses static role-based access control (RBAC) but fails to enforce department-level restrictions and consent checks. What is the most appropriate access control model to address these requirements?

Question 64hardmultiple choice
Read the full Identity and Access Management explanation →

A financial services firm recently deployed a multi-factor authentication (MFA) solution for remote access to its trading platform. The MFA requires a one-time password (OTP) via a mobile app, in addition to a username and password. Since deployment, remote traders have complained that the authentication process takes too long, especially during market open hours. The help desk reports that many traders are accidentally locking their accounts due to multiple failed OTP attempts. The security team wants to maintain strong security but improve user experience. Which action should the security team take?

Question 65mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has experienced several security incidents where terminated employees retained access to internal systems for weeks after their departure. The HR department manually terminates accounts by sending notifications to IT, but the process is often delayed or missed. The company uses an identity management system (IDM) that supports automated provisioning and deprovisioning. The security team is tasked with reducing the risk of unauthorized access by former employees. Which of the following is the most effective course of action?

Question 66easymultiple choice
Read the full Identity and Access Management explanation →

An organization wants to implement single sign-on (SSO) for multiple cloud applications. Which of the following is the most secure and scalable approach?

Question 67mediummulti select
Read the full Identity and Access Management explanation →

Refer to the exhibit. Which TWO statements about this IAM policy are true?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 68hardmultiple choice
Study the full AAA explanation →

A financial institution mandates that all administrative access to network devices must go through a privileged access management (PAM) solution. The PAM solution manages and rotates credentials automatically and logs all sessions. Recently, an auditor discovered that a router's configuration was changed outside of the approved change window. PAM logs show no session during that time. The router supports both local and RADIUS authentication. Which of the following is the MOST likely explanation for the unauthorized change?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 10 Questions→CISSP Practice Test 2 — 10 Questions→CISSP Practice Test 3 — 10 Questions→CISSP Practice Test 4 — 10 Questions→CISSP Practice Test 5 — 10 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Identity and Access Management setsAll Identity and Access Management questionsCISSP Practice Hub