Salesforce Updated Identity-and-Access-Management-Architect Exam Questions and Answers by zayden

Identity Verification Credits are consumed when Salesforce sends verification challenges through the configured channel, and SMS-based passwordless login specifically depends on SMS verification activity. Therefore the right estimation approach is to forecast how many SMS verification events the portal will generate, not how many community licenses exist. Some Salesforce identity offerings include baseline entitlements, but capacity planning still centers on expected verification traffic. If the portal intends to let customers log in with one-time passcodes sent by text, then every challenge can consume credits. The architecture question is really an operational one: estimate the expected volume of SMS-based login verification and size the verification-credit requirement to match that demand. This is why option C is the best answer in Salesforce terms.

For a server-to-server integration that should avoid end-user interaction and maximize security, the JWT Bearer Flow is the strongest fit. Salesforce documents it for noninteractive scenarios where a trusted external service can sign an assertion with a certificate and exchange it for an access token. That means no browser- based approval screen, no password collection, and no dependence on a human being present to authorize the session. Web Server and User-Agent flows are designed for interactive delegated access, while username-password is a special-case pattern with weaker security characteristics. The architectural takeaway is simple: when the client is a trusted server and the goal is high assurance with minimal user involvement, certificate-based JWT exchange is the preferred Salesforce approach. This is why option A is the best answer in Salesforce terms.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option A is the best answer in Salesforce terms.

If users must log in to the Salesforce mobile app with their Active Directory credentials and cannot rely on a mobile VPN, the architecture usually combines Salesforce Identity Connect with the appropriate Active Directory authentication plug-in or federation integration that allows Salesforce to honor those AD credentials without direct VPN dependency. Identity Connect helps bridge AD user management into Salesforce, while the directory-side authentication component handles password validation against Active Directory. Custom triggers or load balancers do not solve the identity problem. The important architecture idea is that workforce users should continue using their corporate directory password, and Salesforce should trust that directory-driven authentication path in a mobile-friendly way. This is why options A, B work together as the correct solution.