Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user.
Which two mechanisms can the Architect provide? Choose 2 Answers

Authentication Token
Session ID
Refresh Token
Access Token

Answer(s): C,D

Show Answer Next Question

QUESTION: 27

Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application.
What implementation should an Architect recommend to UC?

Create a Canvas app and use Signed Requests to authenticate the users.
Rewrite the web application as a set of Visualforce pages and Apex code.
Configure the web application as an item in the Salesforce App Launcher.
Add the web application as a ConnectedApp using OAuth User-Agent flow.

Answer(s): A

Show Answer Next Question

QUESTION: 28

A technology enterprise isplanning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.

Which two steps should an identity architect recommend?

Choose 2 answers

Implement Auth.SamlJitHandler Interface.
Create and update methods.
Implement RegistrationHandler Interface.
Implement SesslonManagement Class.

Answer(s): A,B

Show Answer Next Question

QUESTION: 29

An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers.
What SAML SSO setting in salesforce provides this capability?

Entity id
Issuer
Identity provider login URL
SAML identity location

Answer(s): A

Show Answer Next Question

QUESTION: 30

Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.

UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.

Which of the following license types should be used to meet the requirement?

External Apps License
Partner Community License
Partner Community Login License
Customer Community plus Login License

Answer(s): D

Show Answer Next Question

Viewing page 7 of 48
Viewing questions 31 - 35 out of 230 questions

Post your Comments and Discuss Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER exam prep with other Community members:

Comments:

Name:

IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Discussions & Posts (Share your experience with others)

NSPK Commented on April 23, 2025
Q6 aNS:- B,C both will work rest service and .net
Anonymous

Community-Verified AI Explanation Commented on April 24, 2026
Question 8:

Answer: LLDP

Why: LLDP (Link Layer Discovery Protocol) operates at the data-link layer to discover neighboring devices and the port IDs they’re connected to. On the switch, you can run commands like show lldp neighbors (and show lldp neighbors detail) to see which device is on which port, helping identify the exact switch and port the VoIP handset is using.

Why not the others:

- IKE: VPN protocol, not relevant to local switch port mapping. - VLAN: Indicates which VLAN a device is in, but not the specific switch port. - netstat: Shows active connections on the host, not how it’s wired to the switch.
Anonymous

Kuah Commented on April 24, 2026
exams practice questions questions and answers are very helpful
New Taipei City, Taiwan

Community-Verified AI Explanation Commented on April 24, 2026
Question 1:
Question 1: What are three sources of malware sample data for the Threat Intelligence Cloud? (Choose three)
Correct sources:

C. Correlation Objects generated by AutoFocus

AutoFocus provides correlated threat intelligence objects that contribute malware samples and indicators to the Threat Intelligence Cloud.

D. Third-party data feeds such as partnership with ProofPoint and the Cyber Threat Alliance

External feeds from partners supply additional malware samples and intelligence.

E. Palo Alto Networks non-firewall products such as Traps and Prisma SaaS

Telemetry from endpoint and cloud apps (Traps, Prisma SaaS) feeds malware data into the Threat Intelligence Cloud.
Why the others aren’t sources (brief):

A. Next-generation firewalls deployed with WildFire Analysis Security Profiles and

B. WF-500 configured as private clouds for privacy concerns

These are deployment/usage modes, not direct sources of malware samples into the Threat Intelligence Cloud according to this exam perspective.
Dar Es Salaam, Tanzania

Community-Verified AI Explanation Commented on April 24, 2026
Question 1:
Question 1 asks about a company buying cyber insurance to cover items on the risk register. This represents a risk transfer strategy.

Why B (Transfer) is correct: Cyber insurance shifts the financial impact of identified risks from the organization to a third party (the insurer). This is a classic risk transfer, not a fix to the risk itself.

Why the others are incorrect:

- Accept: Acknowledging risk without action; insurance implies action to cover losses, not just acceptance. - Mitigate: Reduces likelihood or impact with controls, not transferring the cost. - Avoid: Changes plans to eliminate risk entirely; insurance does not eliminate the risk itself.
Key concept: In risk management, response options include Accept, Transfer, Mitigate, and Avoid. Insurance is a transfer of financial risk.
St Louis, United States

Community-Verified AI Explanation Commented on April 24, 2026
Question 6:

Answer: B — Leverage the Kubernetes Cluster Autoscaler to automatically start/stop nodes as needed.

Why B is correct:

For bursty workloads (1000 1-hour jobs per week), autoscaling creates capacity only when there are pending pods, and scales down when idle. This minimizes idle infrastructure and cost while meeting the deadline.

Why the other options are less cost-effective:

A: Pre-allocating an exact node group with taints/tolerations reserves capacity continuously, causing potential idle time and higher cost.

C: Committing to a fixed spend (e.g., reserved instances) reduces flexibility and is inefficient for unpredictable weekly bursts.

D: PriorityClasses affect scheduling order but do not provide capacity or cost savings; they can’t guarantee completion if resources aren’t available.

Key concepts:

Cluster Autoscaler: scales cluster capacity up/down based on pending pods and resource requests.

Optimal for variable workloads where demand spikes are time-bound.

Tip: Combine autoscaler with sensible min/max node settings to ensure quick scale-up for the batch and quick scale-down afterward.
Lagos, Nigeria

Community-Verified AI Explanation Commented on April 24, 2026
Question 1:

Correct answer: A

Explanation:

AWS Snowball Edge pricing includes a free usage window for the device, typically up to a 10-day period for a single job. During this window, you can load data onto the device without separate device rental charges.

The other activities involve data transfer or extended usage and are billed:

- B: Transferring data out of S3 to the Snowball Edge is billed (data transfer/job fees). - C: Transferring data from the Snowball Edge back into S3 is billed (data transfer/job fees). - D: Daily use after 10 days would incur ongoing charges (device rental/usage fees).
So the only no-cost activity listed is using the Snowball Edge for up to 10 days
Pune, India

Community-Verified AI Explanation Commented on April 24, 2026
Question 9:

Correct answer: D) Advanced Currency Management

Why: Advanced Currency Management (ACM) provides dated exchange rates so the converted amount on an opportunity is locked in at the rate in effect on the close date. This prevents future rate changes from altering the closed opportunity amount. The other options do not lock the amount:

- Locale, Company Profile: not related to locking currency amounts. - Multi-currency: allows multiple currencies but doesn’t lock the converted amount. - None of the above: not correct since ACM provides the lock.
Assago, Italy

Community-Verified AI Explanation Commented on April 23, 2026
Question 1:

Correct answer: C: Databricks web application

Explanation:

In the classic Databricks architecture, the control plane hosts management and UI components (the Databricks web app, APIs, authentication, and workspace metadata).

The data plane runs the actual compute and storage (e.g., Driver node, Worker nodes, and Databricks Filesystem (DBFS) backed by cloud storage).

A JDBC data source is external connectivity, not a Databricks control-plane component.

Therefore, the only item hosted completely in the control plane is the Databricks web application.

Waukesha, United States

Max Commented on April 23, 2026
Question 72 is D - Mean time to contain The key phrase in the question is “how long it takes to stop the spread of malware after it enters the network.” That’s specifically about containing an incident not just detecting or fixing it. Mean time to contain (MTTC): Time to stop the spread of the malware once it’s in the network. The correct answer is: Mean time to contain This metric directly reflects how quickly the team can isolate and prevent further damage, which is exactly what executives are asking about.
Grecia, Costa Rica

Community-Verified AI Explanation Commented on April 23, 2026
Question 57:

Correct answer: Traces (option D)

Explanation:

- In distributed telemetry, a trace represents the end-to-end flow of a single request as it travels through multiple services. - A trace is made up of multiple spans, where each span details a single operation (duration, start/end time, identifiers, etc.) within the overall request path. - Other telemetry types: - Metrics: aggregated measurements (counts, gauges, histograms). - Logs: discrete messages tied to events. - So when the question mentions “a series of related distributed events that encode the end-to-end request flow,” that describes a trace.
Lagos, Nigeria

Community-Verified AI Explanation Commented on April 23, 2026
Question 13:

Correct answer: Cluster Autoscaler (Option B)

Explanation:

The Cluster Autoscaler automatically adjusts the number of nodes in your cluster to meet demand.

It scales up when there are unschedulable pods due to insufficient resources, and scales down when nodes are underutilized (draining workloads first, respecting DaemonSets, etc.).

It works with cloud providers (e.g., AWS, GCP, Azure) via node groups or similar constructs.

This is different from:

- Horizontal Pod Autoscaler (HPA): scales the number of pod replicas. - Vertical Pod Autoscaler (VPA): adjusts resource requests/limits of containers. - The term “Node Autoscaler” is less common; the standard Kubernetes component is the Cluster Autoscaler.
Lagos, Nigeria

Community-Verified AI Explanation Commented on April 23, 2026
Question 6:
Correct answer: B

Why B is correct: The Cluster Autoscaler automatically adds cloud nodes when pods cannot be scheduled due to insufficient resources, and scales down when nodes become underutilized. For a bursty, time-limited workload (1000 one-hour jobs by Monday night), autoscaling minimizes cost by provisioning nodes only as needed and releasing them afterward, without paying for idle capacity.

Why the other options are less cost-effective:

- A: Reserved a fixed group of nodes means paying for idle capacity outside the batch window and reduces flexibility. - C: Reserved instances or discounts lock you into a price irrespective of actual usage, which isn’t ideal for unpredictable bursts. - D: PriorityClasses control scheduling priority but don’t reduce the total cost or capacity footprint; you still pay for nodes.

Key concepts to understand:

- The autoscaler reacts to pending pods and resource requests to adjust NodeGroups within configured min/max sizes. - Proper resource requests/limits on pods are essential for accurate scaling. - Aligns with cost optimization by scaling exactly to need during the Monday batch and scaling down afterward.
Lagos, Nigeria

Community-Verified AI Explanation Commented on April 23, 2026
Question 5:

Correct answer: B — --authorization-mode=AlwaysAllow.

Why: The authorization-mode flag controls how the API server enforces access. If you do not configure it, the default is AlwaysAllow, meaning no authorization checks are performed by the API server (requests are allowed unless blocked by other controls). In practice, you’d enable a secure mode like RBAC to enforce proper access control.

Lagos, Nigeria

Community-Verified AI Explanation Commented on April 23, 2026
Question 63:

Correct answer: A: kubectl explain

Why: kubectl explain <resource> retrieves the documentation and field definitions for that Kubernetes resource. It’s the built-in way to learn what fields exist and what they mean (for example, kubectl explain pod or kubectl explain deployments.spec.template).

How it works:

- Example: kubectl explain pods shows top-level fields like apiVersion, kind, metadata, spec, and status, with descriptions. - You can drill into nested fields, e.g., kubectl explain deployments.spec.template.spec.containers.

Why other options are incorrect:

- kubectl api-resources lists resource types, not their field definitions. - kubectl get --help shows usage and flags for get, not resource field docs. - kubectl show is not a valid kubectl command.
Lagos, Nigeria

Community-Verified AI Explanation Commented on April 23, 2026
Question 3:
I can’t view the image-based hotspot diagram in Question 3, but I can explain the concept and why the answer is A.

Correct answer: A. This means the origin host is the one that started the infection.

How to determine the origin:

- Review logs from all hosts and the firewall for the infection timeline. - Look for the earliest host that shows malware activity or initiates suspicious outbound/inbound traffic that later leads to other hosts becoming infected. - Use the firewall/IDS logs to trace the infection path: which host first contacted a malicious external host, or which host first communicated with others in a way that preceded infections on those hosts.

Assess other hosts:

- Mark as infected if their logs show signs of infection after receiving contact from the origin (e.g., malware callbacks, unusual outbound connections, file changes). - Mark as clean if there are no indicators of compromise and they did not participate in the infection chain.

Quick checklist:

- Timestamp order of events. - First host with anomalous activity ? potential origin. - Subsequent hosts’ logs showing infection indicators ? infected; otherwise clean.
If you can describe the key log entries or the visible connections in the diagram, I can help assign which host is A and categorize the others as clean or infected.
Brasília, Brazil

Community-Verified AI Explanation Commented on April 23, 2026
Question 3:
For Question 3, the correct option is C: Configure an Access-Control-Allow-Origin header to authorized domains.
Why:

HttpOnly (A) only protects cookies from JavaScript access; it does not enforce HTTPS.

X-Frame-Options (B) mitigates clickjacking but doesn’t directly control cross-origin data exposure.

Access-Control-Allow-Origin (C) is the CORS setting that restricts which origins can read your web resources. After a vulnerability assessment, tightening CORS to trusted domains reduces exposure of data (such as PII) to unauthorized sites.

Disabling the CORS header (D) would increase exposure and is not a prudent security practice.

So, configuring Access-Control-Allow-Origin to authorized domains directly addresses cross-origin data access risks identified in a web app vulnerability assessment.
Basingstoke, United Kingdom

Community-Verified AI Explanation Commented on April 23, 2026
Question 181:

STP root bridge is chosen by the lowest Bridge ID (priority + MAC). If all priorities are equal (default), the switch with the lowest MAC address becomes the root.

Bridge ID = Priority (default 32768) + MAC address. Since all priorities are default, compare MACs.

Given MACs:

- SW1: 0C:E0:38:41:86:07 - SW2: 0C:0E:15:22:05:97 - SW3: 0C:0E:15:1A:3C:9D - SW4: 0C:E0:18:A1:B3:19

Comparing hex values, SW3 has the smallest MAC after the first two octets (0C:0E:15:1A... is smaller than 0C:0E:15:22... and smaller than the 0C:E0… entries).

Therefore, the root bridge is SW3.

Answer: C.

Frankfurt Am Main, Germany

Community-Verified AI Explanation Commented on April 23, 2026
Question 3:
Answer: False
Explanation:

In Snowflake, a database is an account-scoped object and exists in a single Snowflake account.

Cross-account access is possible via Secure Data Sharing or by creating a database in the consumer account from a shared object, but that results in a separate database in the consumer account, not the same database existing in both accounts.

Therefore, a single database cannot exist in more than one Snowflake account.

Bengaluru, India

Community-Verified AI Explanation Commented on April 23, 2026
Question 16:

Answer: No

Why: The Azure API Management service is for publishing, securing, and monitoring APIs. It does not automate or provision Azure infrastructure resources.

What to use instead:

- Azure Resource Manager (ARM) templates or Bicep to define the identical set of resources once and deploy them per business unit. - You can parameterize the template to customize naming or unit-specific settings. - For governance and scalable deployments across many units/subscriptions, consider Azure Blueprints or deployments via pipelines.

Summary: To auto-create identical resource sets for multiple units, use ARM/Bicep (with parameters) rather than API Management.

London, United Kingdom

Community-Verified AI Explanation Commented on April 23, 2026
Question 41:

Answer: C (1, 6, 11)

Explanation:

In the 2.4-GHz band, each WLAN channel is about 20 MHz wide and adjacent channels overlap, which can cause collisions.

To minimize interference in a single area, you use three non-overlapping channels: 1, 6, and 11. These are spaced so their 20 MHz footprints don’t significantly overlap.

The mention of “direct sequence spread spectrum (DSSS)” refers to the modulation method used by older 2.4-GHz networks; it doesn’t change the need for non-overlapping channels. Choosing 1, 6, and 11 helps reduce collisions even with DSSS.

Frankfurt Am Main, Germany

Community-Verified AI Explanation Commented on April 23, 2026
Question 39:

Correct answer: C

Explanation:

In CSMA/CD Ethernet, collisions are detected while transmitting. If a collision is detected after at least 64 bytes have been transmitted, it is a late collision.

A runt collision refers to a collision on a frame smaller than the minimum 64 bytes.

The CRC counter increments when a frame fails the CRC check, not due to a collision timing.

Here, since the collision is detected after the first 64 bytes, the interface counter increments for a late collision.

Frankfurt Am Main, Germany

Community-Verified AI Explanation Commented on April 23, 2026
Question 37:

Correct answer: B

Explanation:

You need one subnet to cover all floors with 30–40 users per floor ? roughly 320 hosts. The subnet must provide at least 320 usable addresses.

A /23 (255.255.254.0) gives 510 usable addresses, which is sufficient.

Other options are too small or wasteful:

- A: /16 = 65,536 addresses (wasteful for a single building) - C: /25
Frankfurt Am Main, Germany

Community-Verified AI Explanation Commented on April 23, 2026
Question 28:
Correct answer: D

CAPWAP stands for Control and Provisioning of Wireless Access Points. In local mode, an AP forms a CAPWAP tunnel to the WLC over the IP network, so the AP can be connected to any switch in the network as long as it can reach the WLC (no need for a direct link to the WLC).

Discovery and traffic flow: The AP discovers the WLC (via DHCP option, DNS, or configured WLC IP) and then tunnels control and data traffic to the WLC using CAPWAP (control on UDP 5246, data on UDP 5247). This centralizes management and RF decisions at the WLC.

Why other options are incorrect: It does not have to be on the same switch as the WLC (B) or directly connected via copper to the WLC (C), and it does not create a network loop simply by being wired (A).

Frankfurt Am Main, Germany

Community-Verified AI Explanation Commented on April 23, 2026
Question 25:

Correct answers: A and C.

Why:

A: “5GHz provides increased network capacity with up to 23 nonoverlapping channels.” 5 GHz offers many more nonoverlapping channels than 2.4 GHz, increasing capacity and reducing co-channel interference.

C: “Cells that overlap one another are configured to use nonoverlapping channels.” In overlapping cells, you assign nonoverlapping channels to minimize interference.

Why others are not correct:

B: “5GHz channel selection requires an autonomous access point.” Not true; auto channel selection can be done by a Wireless LAN Controller (WLC) as well.

D: “Adjacent cells with overlapping channels use a repeater access point.” Repeater/mesh often reduces throughput; not a standard best-practice for maximizing performance.

E: “For maximum throughput, the WLC is configured to dynamically set adjacent points to the channel.” Dynamic channel assignment exists, but it’s not listed as one of the two primary design standards in this question.

Frankfurt Am Main, Germany

Community-Verified AI Explanation Commented on April 23, 2026
I thought public and private ip each has own NIC?

No. In Azure, a single NIC can have both a private IP and a public IP address.

For five VMs, you need five NICs total (one NIC per VM) to give each VM both IPs, meeting the requirement.

Only add more NICs if a VM requires connections to multiple networks or subnets, not just for separate IPs.

Kigali, Rwanda

Community-Verified AI Explanation Commented on April 22, 2026
Question 27:

Answer: No.

Why: To manage Defender for Office 365 settings and policies (including those for Teams, SharePoint, and OneDrive), SecAdmin1 must have the Security Administrator role. The Exchange Administrator role only provides rights to manage Exchange Online and does not grant Defender or Purview/compliance access.

How to fix: Grant SecAdmin1 the Security Administrator role in Microsoft Entra ID (or via the Microsoft 365 admin center under Roles > Security Administrator). This role gives access to Defender portals and related security features.

Singapore, Singapore

Community-Verified AI Explanation Commented on April 22, 2026
Détaille Include in every user group
Include in every user group (FortiOS 7.6)

Définition: lorsque cette option est activée lors de la configuration d’un serveur RADIUS sur FortiGate, FortiGate insère automatiquement le serveur RADIUS dans tous les groupes d’utilisateurs FortiGate existants et futurs.

Impact sur les utilisateurs: tout utilisateur qui s’authentifie via ce serveur RADIUS devient membre de chacun des groupes FortiGate. En pratique, cela permet à ces utilisateurs d’être pris en compte par toutes les politiques qui référencent des groupes FortiGate. Attention: un filtrage de groupe via des attributs RADIUS peut restreindre ou modifier ces associations.

Pourquoi l’utiliser: utile lorsque le même source d’authentification externe doit être accepté par plusieurs politiques utilisant différents groupes d’utilisateurs.

Points à considérer:

- ne modifie pas les groupes côté RADIUS; FortiGate n’envoie pas les groupes FortiGate vers le serveur RADIUS. - peut élargir l’accès si mal utilisé; combinez-le avec des attributs RADIUS pour des filtrages fins. - n’affecte pas les groupes LDAP/RADIUS côté serveur; il s’agit d’une relation côté FortiGate uniquement.

Exemple rapide: si une politique vérifie les appartenances à « VPN Users » et « Admins », activer cette option fera que les utilisateurs RADIUS authentifiés y seront automatiquement membres.

Paris, France

Anonymous User Commented on April 22, 2026
Upload this exam please!
Pretoria, South Africa

Community-Verified AI Explanation Commented on April 22, 2026
Question 22:

Correct answer: True (A)

Explanation: Snowflake’s data unload capability allows exporting data from a table to external storage in various file formats, including semi-structured formats like JSON and Parquet. By specifying the FILE_FORMAT option (e.g., JSON or PARQUET), you can unload structured data into these formats for interoperability with other systems or data lakes. The reference doc covers how to prepare and unload data in different formats.

Hyderabad, India

Community-Verified AI Explanation Commented on April 22, 2026
Question 4:
For Question 4, the correct answer is C: The Order field in the Variable form.
Why:

The display sequence of fields within a Service Catalog item is controlled by the Order value on each Variable record. Lower numbers display first; you can set increments (e.g., 10, 20, 30) to re-order easily.

The Default Value field only sets what value appears by default, not the display order.

The Sequence field in the Catalog Item form is not used to control per-variable display order.

The Choice field in the Variable form defines the available options for that variable (for select-type fields), not the overall display order.

Tip:

When arranging variables, edit each variable’s Order to achieve the desired sequence. If two variables share the same order, ServiceNow uses a secondary tie-breaker.

New Delhi, India

Community-Verified AI Explanation Commented on April 21, 2026
Question 30:

The goal: Build an app that routes incoming email/direct messages to French or English language support teams.

Correct answer: Use the Translator Text API at api/cognitive.microsofttranslator.com (Option A).

Why this is correct:

- The Translator API can detect a message’s language and translate content, enabling you to route messages to the appropriate language team based on detected language. - This directly supports language-based routing.

Why the other options are incorrect:

- eastus.api.cognitive.microsoft.com is associated with the Face API, not language routing. - portal.azure.com is the Azure portal for management, not a Cognitive Services API endpoint. - The endpoint /text/analytics/v3.1/entities/recognition/general is for Named Entity Recognition in the Text Analytics API, not for language detection or translation.
Nagercoil, India

Community-Verified AI Explanation Commented on April 21, 2026
Question 27:

Answer: No

Why: MFA (Multi-Factor Authentication) strengthens user login by requiring an additional factor, but it does not encrypt or protect credentials used during automated deployments. In automation, there’s no interactive user to provide MFA, and credentials could still be exposed in deployment artifacts.

What to use instead:

- Store admin credentials in Azure Key Vault as secrets. - Access secrets during deployment via a Managed Identity or a dedicated service principal with a certificate to securely retrieve them. - Ensure proper access policies and encryption at rest (Key Vault uses hardware-backed keys).

Quick takeaway: MFA secures human authentication; for protecting credentials in automated deployments, use Key Vault + Managed Identity/service principal approach.

Monza, Italy

Community-Verified AI Explanation Commented on April 21, 2026
Question 50:
Answer: A

A. Purchase Provisioned Throughput for the custom model. Why: To use a custom Bedrock model, you must allocate provisioning throughput so Bedrock has the compute capacity to run inferences and scale with demand.

Why the others are incorrect:

B. Deploy the custom model in an Amazon SageMaker endpoint. Not required for Bedrock; Bedrock serves models via its own endpoints.

C. Register the model with the Amazon SageMaker Model Registry. SageMaker Registry is separate from Bedrock; not needed to use Bedrock models.

D. Grant access to the custom model in Amazon Bedrock. Access control is important, but the must-do to enable usage is provisioning throughput.

Johannesburg, South Africa

Community-Verified AI Explanation Commented on April 21, 2026
Question 49:
Answer: A and C

A. Detect imbalances or disparities in the data. Why: Identifying data bias helps minimize discriminatory outcomes and improves fairness before training.

C. Evaluate the model's behavior so that the company can provide transparency to stakeholders. Why: Responsible AI requires monitoring and reporting on model behavior, enabling fairness audits and stakeholder trust.

Why others are incorrect:

B. Ensure that the model runs frequently. Not directly about bias minimization; more about operations/monitoring, not fairness.

D. Use ROUGE to ensure that the model is 100% accurate. ROUGE is for text summarization, not overall model accuracy; 100% accuracy is unrealistic.

E. Ensure that the model's inference time is within the accepted limits. Performance/latency, not bias minimization or transparency.

Johannesburg, South Africa

Community-Verified AI Explanation Commented on April 21, 2026
Question 51:

Answer: No.

Why: The goal is to implement a phrase list in Conversational Language Understanding, not to create a separate utterance for each phrase. A phrase list is a separate resource that provides a set of known strings to help the model recognize values (like city names) across intents. Creating a new utterance for each phrase does not utilize the phrase list feature correctly.

How to implement correctly:

- Create a Phrase List (e.g., LocationPhrases) containing the items: London, Seattle, Ukraine. - Attach or reference this phrase list from the FindContact intent so city names are recognized reliably. - Use these phrases to guide recognition of the location values in user input.

Result: This leverages the phrase list capability to improve matching of location names without inflating training utterances.

Courbevoie, France

Community-Verified AI Explanation Commented on April 21, 2026
Question 9:

Correct answer: D. Azure Logic Apps

Why: Defender for Cloud’s workflow automation is designed to trigger automated, end-to-end workflows when security alerts, recommendations, or compliance changes occur. Azure Logic Apps provides a low-code, visual workflow designer with built-in connectors (including Defender for Cloud) to orchestrate remediation, notifications, and ticketing across Azure and other systems.

How to implement (conceptual gist):

- Create a Logic Apps workflow that is triggered by Defender for Cloud security alerts or recommendations. - Add actions to remediate (e.g., run remediation scripts, adjust NSGs, notify InfraSec), and to log or ticket the incident. - Use connectors to integrate with other services (Azure Automation, ITSM, Teams/Slack) for coordinated response.

Why not the others:

- Azure Monitor alert webhooks: useful for basic notifications, not full workflow orchestration. - Azure Event Hubs: data ingestion, not remediation workflows. - Azure Functions: possible for automation but requires more custom coding; Logic Apps is the recommended, simpler workflow platform for this use case.
Bollnäs, Sweden

Community-Verified AI Explanation Commented on April 21, 2026
Question 64:

Correct answer: B, C, E

Why:

- B: Adjust the inventory quantity to zero — you need zero on-hand quantity so you don’t carry old stock into the new costing method. - C: Adjust the inventory cost to zero — clears existing value so the transition doesn’t lock in standard-cost balances. - E: Change the Item Model Group — the Item Model Group defines the costing method; switching it to Moving Average is how you enable moving average costing going forward.

Why the other options aren’t suitable:

- A: Change the Item Group — affects category/grouping, not the costing method needed for this conversion. - D: Run inventory close — not listed as required in the provided solution for this specific conversion sequence.

Quick implementation idea:

- For each item to convert, set on-hand quantity to 0 (B) and on-hand cost to 0 (C), then update the Item Model Group to use Moving Average (E). After this, new transactions will use moving average costing.
Bengaluru, India

Community-Verified AI Explanation Commented on April 21, 2026
Question 6:
For Question 6:

Correct answer: B. Create an AWS Snowball Edge job. Receive a Snowball Edge device on premises. Use the Snowball Edge client to transfer data to the device. Return the device so that AWS can import the data into Amazon S3.

Why this is correct:

The goal is to move about 70 TB with the least use of network bandwidth and as fast as possible.

Snowball Edge is a physical data transfer device. You load data locally, ship it back to AWS, and AWS imports it into S3. This minimizes impact on your production network and is typically the fastest option for large volumes.

Why other options are not optimal:

A: Copying over the network with the AWS CLI would consume significant bandwidth and take longer.

C: An S3 File Gateway transfers data over your network to S3, adding latency and using your bandwidth.

D: A Direct Connect link still relies on network transfer and adds unnecessary complexity for a one-time bulk migration.

Key concept: For large, one-time migrations with minimal network impact, offline transfer with Snowball Edge is preferred.
Chennai, India

Community-Verified AI Explanation Commented on April 20, 2026
Question 104:

Correct answer: A — PDU selections must be changed using the panel icon.

Explanation:

- With PDUs rated at 12A, you should not exceed 80% for continuous load, which is 9.6A per PDU. - To meet the 9.6A limit and maintain redundancy, reconfigure which devices are fed by which PDU (instead of leaving the same devices on the same PDUs). - In the simulator’s example, you would: - Keep the Mail Relay on Rack1, but move its primary/failover to PDU B. - Move VM Host 1 and VM Host 2 to Rack2. - Assign VM Host 1 primary to PDU A and failover to PDU B. - Assign VM Host 2 primary to PDU B and failover to PDU A. - This distributes load across PDUs A and B so no single PDU exceeds 9.6A and provides redundancy if one PDU fails.
Cape Town, South Africa

Community-Verified AI Explanation Commented on April 20, 2026
Question 2:
Correct answer: B
Explanation:

The peak is predictable (weekends 6 PM–11 PM), so a scheduled scaling action is the most operationally efficient. You configure the Auto Scaling Group to increase the desired capacity before the peak and decrease it after, with recurrence rules for the weekend times.

This uses built-in ASG functionality, requires no custom code or maintenance, and ensures capacity is ready in advance.

Why not the other options?

A (Lambda with a scheduled rule): Adds custom code to manage capacity, increasing maintenance and potential failure points.

C (target tracking by memory): Reactive rather than proactive; may not align precisely with weekend peaks and may not guarantee capacity before load spikes.

D (cooldown adjustments): Cooldown manages pacing after scaling actions, not scheduling or pre-emptive scale-out for known peak times.

Key concept:

Use scheduled actions in an ASG to proactively adjust capacity at known peak times for predictable workloads, maximizing performance with minimal ongoing ops.

São Paulo, Brazil

Community-Verified AI Explanation Commented on April 20, 2026
Question 4:

Correct answer: D. A safe environment in which to develop practical skills and knowledge of a technology and to test the technology.

Explanation:

The primary purpose of a wireless equipment lab is to provide a controlled, safe space for hands-on learning and testing without impacting production systems.

It supports skill development, experimentation, and troubleshooting.

Other options are not the main benefit: not primarily for RF exposure testing (A), production failover (B), or repurposing old hardware (C).

Innisfil, Canada

Community-Verified AI Explanation Commented on April 20, 2026
Question 1:
Question 1 asks which statements correctly describe language options when using Snowflake interfaces (select TWO).

A. Notebook cells can be written in Python. Correct. Snowflake Notebooks support Python as an executable cell type alongside SQL.

C. Notebook cells can be written in SQL. Correct. Notebooks also support SQL cells for declarative querying.

Why the others are not correct:

B. Databases can process queries using Scala. Not correct. Snowflake does not natively execute queries in Scala; Scala is available via Snowpark for application code, not as a direct query language.

D. Worksheets can only be written in SQL. Not correct. Snowsight worksheets are SQL-based but can also use Snowflake Scripting (procedural code), so they’re not restricted to SQL alone.

E. Dashboards can be written in JavaScript. Not correct. Dashboards are SQL-backed visualizations in Snowsight; JavaScript isn’t the authoring language there.

Key takeaway: A and C are the correct options because Snowflake Notebooks support both SQL and Python for notebook cells.
Innisfil, Canada

Community-Verified AI Explanation Commented on April 20, 2026
Question 12:

Correct answer: Test a flow with rollback

Why: Flow Designer supports:

- Call a subflow from a flow - Use Delegated Developer - Run a flow from a MetricBase Trigger The ability to test a flow with rollback is a capability of the Automated Test Framework (ATF), not Flow Designer.
Bengaluru, India

Community-Verified AI Explanation Commented on April 20, 2026
Question 7:

Answer: A — Association Response is a Management Frame.

Why:

- 802.11 frames are categorized into Data Frame, Management Frame, and Control Frame. - The Association Request/Association Response are part of the Management Frame used during the initial association process between a station and an AP. - The AP sends the Association Response in reply to the Association Request, indicating status and assigning an AID.
If you want, I can explain what’s included in the Association Response (e.g., status code, AID).
Harare, Zimbabwe

Community-Verified AI Explanation Commented on April 20, 2026
Question 21:

Answer: Utility (D)

Explanation:

In ITIL 4, value from a service comes from two properties: utility and warranty.

Utility = fitness for purpose; it asks whether the service provides the right functionalities and outcomes to meet customer needs.

Warranty = fitness for use; it covers availability, capacity, continuity, and security.

So to determine if a service is fit for purpose, assess its utility—does it deliver the required features and outcomes for the user?

Norwich, United Kingdom

Sumit Chaturvedi Commented on April 20, 2026
Is CAD Exam Have same questions every time or it changes on each attempts or changes few but not all, Please Suggest if some one have this info
Singapore, Singapore

Community-Verified AI Explanation Commented on April 20, 2026
Question 1:

Correct answer: Databricks web application (Option C)

Why:

- In the classic Databricks architecture, the control plane hosts the managed services that handle UI, authentication, and orchestration (the Databricks web application and related APIs). - The data plane runs the actual compute resources (the driver node and worker nodes) and storage interfaces like DBFS. - Therefore, the web application is hosted completely in the control plane, while the compute components (driver/worker) are in the data plane.
Pune, India

Community-Verified AI Explanation Commented on April 19, 2026
Question 77:

Answer: Billing Administrator

Why: Purchasing licenses is a licensing/billing action. The Billing Administrator role has the minimum rights to manage billing/subscriptions and license purchases for the subscription. The other roles are broader or unrelated to licensing:

- Global Administrator: full tenant-wide access (not least privilege). - Permissions Management Administrator: controls permissions management, not licensing. - User Access Administrator: manages access to resources, not licensing.

How to assign (brief): In the Azure portal, go to the subscription Sub1 ? Access control (IAM) ? Add role assignment ? select Billing Administrator ? assign to User1.

Rueil-Malmaison, France

Community-Verified AI Explanation Commented on April 19, 2026
Question 97:
Question 97 explains you need a CA policy for App1 that allows only Windows devices and only compliant devices.

Correct settings:

- Condition: Device platforms -> Windows - Grant: Require device to be compliant

Why:

- Device platforms restrict which devices can even be evaluated (Windows in this case). - The grant control enforces that the device is compliant (Intune/compliance policy)
Tübingen, Germany

Community-Verified AI Explanation Commented on April 19, 2026
Question 91:

Answer: The maximum number of user risk policies you can configure is 1 (Option A).

Why: In Azure AD Identity Protection, there are two policy types that use risk signals: User risk policies and Sign-in risk policies. The limit for User risk policies is one per tenant. You configure this single policy to define actions (e.g., require MFA, block) based on detected user risk levels. If you need additional controls, use Sign-in risk policies (a separate policy type) in addition to the one user risk policy.

Tübingen, Germany

Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER: Skills Tested, Job Roles, and Study Tips

The Salesforce Certified Identity and Access Management Designer exam is specifically designed for professionals who specialize in the architecture, configuration, and implementation of identity and access solutions within the Salesforce ecosystem. Candidates for this certification typically work as system architects, security administrators, or identity management specialists who are responsible for ensuring that users have secure, appropriate, and efficient access to enterprise applications. Organizations hire individuals with this credential because they need experts who can navigate the complexities of authentication protocols, authorization frameworks, and user provisioning strategies in a cloud-based environment. This certification validates that a professional understands how to design secure, scalable, and compliant identity management systems that protect sensitive corporate data from unauthorized access. It is a critical role in any enterprise that relies on Salesforce to manage customer and employee data across multiple platforms, as the security of these systems is paramount to business continuity.

Professionals who hold this certification are often tasked with bridging the gap between business requirements and technical security implementations. They must be able to translate complex security policies into functional configurations within Salesforce, ensuring that the organization remains compliant with internal and external regulations. This role requires a deep understanding of how identity flows work, including the interaction between Salesforce and external identity providers, as well as the management of user lifecycles from onboarding to offboarding. Because identity management is a foundational element of enterprise security, these professionals are highly valued for their ability to mitigate risks associated with data breaches and unauthorized access. By passing this exam, you demonstrate that you possess the specialized knowledge required to lead identity projects and provide strategic guidance on security architecture.

What the IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Covers

The IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER exam covers a broad spectrum of technical domains, including the implementation of Single Sign-On, the configuration of OAuth flows, and the management of user provisioning across various environments. Candidates must demonstrate a deep understanding of how to secure Salesforce environments by applying best practices for authentication and authorization, which are essential for maintaining data integrity and system reliability. Our practice questions are designed to mirror these core domains, allowing you to test your knowledge on topics like SAML assertions, OpenID Connect, and the nuances of Salesforce identity features such as Connected Apps and My Domain. By working through these practice questions, you will gain familiarity with the types of scenarios that require you to choose the most secure and efficient identity solution for a given business requirement. This comprehensive approach ensures that you are not just memorizing facts but are actually learning how to apply identity concepts to real-world architectural challenges that you will face on the job.

The most technically demanding area of this exam often involves the intricate details of OAuth and SAML implementation, where small configuration errors can lead to significant security vulnerabilities or authentication failures. Candidates must be able to troubleshoot complex integration scenarios where multiple identity providers are involved, requiring a precise understanding of how tokens, assertions, and endpoints interact during the authentication process. This level of technical depth requires more than surface-level knowledge, as you must be able to visualize the entire authentication flow from the initial user request to the final access grant. Mastering these concepts is essential for passing the exam, as many questions will present you with a specific architectural problem and ask you to identify the correct protocol or configuration setting to resolve it. You will need to be comfortable with the differences between various OAuth flows, such as the web server flow and the user agent flow, and understand when each is appropriate based on the security requirements of the application.

Are These Real IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Questions?

Our platform provides practice questions that are sourced and verified by the community, ensuring that you are studying with material that reflects the current state of the certification exam. These are not just random questions, as our community-verified approach relies on IT professionals and recent test-takers who have sat for the actual exam to contribute their insights and validate the accuracy of the content. Because these questions are sourced from the community, they reflect what appears on the real exam, providing you with a realistic assessment of your readiness and helping you identify areas where you need further study. If you have been searching for IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER exam dumps or braindump files, our community-verified practice questions offer something more valuable, as each question is verified and explained by IT professionals who recently passed the exam. We prioritize accuracy and educational value over unauthorized content, ensuring that your study time is spent effectively and that you are learning the concepts rather than just memorizing answers.

The community verification process is a collaborative effort where users discuss answer choices, flag potentially incorrect information, and provide context based on their own experiences during the exam. When a user encounters a difficult question, they can review the discussions left by others who have already tackled that specific topic, which helps clarify the reasoning behind the correct answer and provides alternative perspectives on the problem. This feedback loop is what makes our practice questions reliable, as it allows for continuous improvement and refinement of the content based on the collective knowledge of the community. By engaging with these discussions, you gain access to a wealth of practical experience that goes beyond what is found in standard textbooks or official documentation. This collaborative environment fosters a deeper understanding of the material, as you are learning from the successes and mistakes of your peers who have already navigated the certification process.

How to Prepare for the IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam

Effective exam preparation for the IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER certification requires a combination of hands-on experience and a thorough understanding of the underlying identity concepts. You should spend time in a Salesforce sandbox environment, configuring SSO and OAuth flows to see how these settings behave in practice, rather than relying solely on theoretical study. Every practice question includes a free AI Tutor explanation that breaks down the reasoning behind the correct answer, so you understand the concept, not just the answer. This AI Tutor is a powerful tool for your exam prep, as it helps you bridge the gap between knowing a definition and applying it to a complex, scenario-based question. Building a consistent study schedule that allows you to revisit difficult topics will also help you retain information more effectively as you approach your exam date, ensuring that you are confident in your knowledge across all exam domains.

A common mistake candidates make is focusing too heavily on rote memorization of definitions, which often leaves them unprepared for the scenario-based questions that dominate this certification exam. These questions require you to analyze a business requirement and determine the best architectural solution, which is a skill that cannot be developed through memorization alone. Another frequent error is failing to manage time effectively during the exam, leading to rushed decisions on complex questions that require careful reading and analysis. To avoid these pitfalls, you should practice with timed sessions that force you to work through scenarios under pressure, ensuring that you can apply your knowledge quickly and accurately. By focusing on the "why" behind each configuration choice, you will be better equipped to handle the variations and complexities that you will encounter on the actual exam.

What to Expect on Exam Day

On the day of your exam, you can expect a format that primarily consists of multiple-choice and scenario-based questions, which are designed to test your ability to apply identity management principles in real-world situations. The exam is administered through a secure testing environment, typically via Pearson VUE, which ensures the integrity and fairness of the certification process for all candidates. You will have a set amount of time to complete the exam, and it is important to pace yourself, especially when encountering complex scenarios that require multiple steps of analysis. While the specific passing score is determined by Salesforce and can vary, your focus should be on demonstrating a comprehensive understanding of the exam objectives rather than aiming for a minimum threshold. Being prepared for the testing environment and the types of questions you will face will help you remain calm and focused throughout the duration of the exam, allowing you to perform at your best.

The testing environment is designed to be distraction-free, whether you are taking the exam at a physical testing center or through an online proctored session. You will need to ensure that your identification is ready and that you are familiar with the rules of the testing platform, such as the prohibition of unauthorized materials and the requirements for your workspace. During the exam, you will have the ability to flag questions for review, which is a useful strategy if you encounter a particularly difficult scenario that you want to revisit after completing the rest of the exam. It is important to read each question carefully, as the wording can sometimes contain subtle clues that point to the correct answer or help you eliminate incorrect options. By approaching the exam with a clear strategy and a solid foundation of knowledge, you can navigate the testing experience with confidence and focus on demonstrating your expertise.

Who Should Use These IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Practice Questions

This certification exam is intended for experienced Salesforce professionals, such as identity architects, security engineers, or senior administrators, who have a solid foundation in identity and access management. If you are looking to validate your expertise and advance your career in the Salesforce ecosystem, this certification is a significant milestone that demonstrates your ability to handle complex security requirements. Your exam preparation should be focused on mastering the core concepts and understanding how they integrate with the broader Salesforce platform. By achieving this certification, you signal to employers that you possess the specialized skills necessary to design and maintain secure identity solutions in enterprise environments. Whether you are aiming for a promotion or looking to transition into a more specialized security role, this certification provides the credibility and knowledge base you need to succeed.

To get the most out of these practice questions, you should avoid simply reading the answer and instead engage deeply with the AI Tutor explanation to understand the underlying logic. You should also participate in the community discussions to see how others have interpreted the questions, which can provide valuable insights into the nuances of the exam. If you find yourself consistently getting certain types of questions wrong, flag them and revisit them later to ensure that you have fully grasped the concept. This iterative process of testing, reviewing, and learning is the most effective way to prepare for the certification exam. Browse the questions above and use the community discussions and AI Tutor to build real exam confidence.

Updated on: 01 May, 2026

AI Tutor 👋 I’m here to help!

Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Questions Salesforce Certified Identity and Access Management Designer (Page 7 )

QUESTION: 26

QUESTION: 27

QUESTION: 28

QUESTION: 29

QUESTION: 30

IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Discussions & Posts (Share your experience with others)

Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER: Skills Tested, Job Roles, and Study Tips

What the IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Covers

Are These Real IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Questions?

How to Prepare for the IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam

What to Expect on Exam Day

Who Should Use These IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Practice Questions

Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-DESIGNER Exam Questions
Salesforce Certified Identity and Access Management Designer (Page 7 )