CISSP · topic practice

Identity and Access Management practice questions

Practise Certified Information Systems Security Professional CISSP Identity and Access Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Identity and Access Management

What the exam tests

What to know about Identity and Access Management

Identity and Access Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Identity and Access Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Identity and Access Management questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?

A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?

A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?

Question 6easymultiple choice
Read the full NAT/PAT explanation →

A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?

An organization uses OAuth 2.0 for delegated access to APIs. A developer creates a public client application that runs on mobile devices. Which OAuth 2.0 grant type is MOST appropriate for this scenario?

Which TWO of the following are valid methods to enforce separation of duties in an access control system?

Which THREE of the following are characteristics of a federated identity management system?

Which TWO of the following are types of access control models?

Refer to the exhibit. A user reports they cannot authenticate to a web application after receiving a new token. The error log shows the above entries. Which of the following is the MOST likely cause?

Exhibit

Refer to the exhibit.

Error Log:
2024-05-20 14:23:01 ERROR [com.example.auth] Authentication failed for user 'jsmith' from IP 192.168.1.100: Invalid token signature
2024-05-20 14:23:01 ERROR [com.example.auth] Token validation failed: JWT signature does not match locally computed signature

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

Exhibit

Refer to the exhibit.

Active Directory Group Policy Result:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment:
- Allow log on locally: Administrators, Users
- Deny log on locally: (empty)
- Allow log on through Remote Desktop Services: Administrators
- Deny log on through Remote Desktop Services: (empty)

Effective Access for user 'jdoe' (member of Domain Users):
- Log on locally: Denied (via membership in 'Remote Desktop Users' group? No)
- Log on through RDP: Not explicitly allowed or denied.

A medium-sized financial services company recently deployed a new identity governance and administration (IGA) solution to manage user access across on-premises Active Directory and cloud-based SaaS applications. The IGA system uses a role-based access control (RBAC) model with hundreds of roles defined. The company has a policy that all access certifications must be completed quarterly. During the first quarterly certification, the access reviewers complain that they are overwhelmed by the number of entitlements they need to review, and many certifications are not completed on time. The security team also notices that some users have accumulated excessive privileges because role assignments were not properly reviewed. The company wants to streamline the certification process without sacrificing security. Which of the following is the BEST course of action?

Question 14mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps for implementing a digital signature using asymmetric cryptography in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each access control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner controls access permissions

System-enforced based on labels

Access based on job roles

Access based on rules and policies

A company requires employees to authenticate using a smart card and PIN to access the corporate network. This is an example of which type of authentication?

A security architect is designing access controls for a healthcare application where permissions are based on the user's role, the sensitivity of the data, and the context of the access (e.g., time of day). Which access control model best fits this requirement?

An organization is implementing federated identity to allow partners to access its web application. The solution must support single logout and attribute exchange. Which protocol is most appropriate?

A system administrator notices that user accounts are often left active after employees leave the company. Which process should be automated to address this?

An organization's security policy requires that privileged accounts have their passwords changed every 30 days and be monitored. Which solution effectively manages these requirements?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Identity and Access Management sessions

Start a Identity and Access Management only practice session

Every question in these sessions is drawn from the Identity and Access Management domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Identity and Access Management?
Identity and Access Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Identity and Access Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Identity and Access Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.