CompTIA Security+ Identity Management Practice Questions 2026
Identity and Access Management (IAM) is a cornerstone of the CompTIA Security+ exam, testing your understanding of how organizations verify who users are (authentication), determine what they can access (authorization), and track what they do (accounting). From multi-factor authentication and single sign-on to federation protocols and access control models, IAM concepts appear across multiple exam domains and are fundamental to every security professional's daily work.
What Is Identity Management on the Security+ Exam?
Identity management encompasses the policies, technologies, and processes that manage digital identities throughout their lifecycle — from account creation to deprovisioning. For the Security+ exam, this domain tests three core areas often called the AAA framework: Authentication (verifying identity), Authorization (granting permissions), and Accounting (logging activities).
The exam covers a wide range of IAM technologies: multi-factor authentication (MFA) using different factor categories, single sign-on (SSO) systems that reduce password fatigue, federation protocols like SAML and OpenID Connect that enable cross-organizational authentication, directory services like LDAP and Active Directory that centralize identity stores, and privileged access management (PAM) that secures high-risk administrative accounts.
Access control models form another critical area: Discretionary Access Control (DAC) where resource owners control permissions, Mandatory Access Control (MAC) where system-enforced labels dictate access, Role-Based Access Control (RBAC) where permissions map to job functions, and Attribute-Based Access Control (ABAC) where dynamic policies evaluate multiple attributes. Understanding when to apply each model is essential for scenario-based exam questions.
Why Identity Management Matters for Security+
Identity is the new security perimeter. As organizations adopt cloud services, remote work, and zero-trust architectures, traditional network-based security boundaries dissolve. Identity becomes the primary control point — every access decision starts with verifying who is requesting access, what they're authorized to do, and whether their access context is trustworthy.
The Security+ exam reflects this reality by testing IAM concepts across multiple domains. Authentication and authorization appear in security architecture questions. Account management surfaces in operational security. Federation and SSO appear in cloud security scenarios. Mastering IAM gives you a foundation that strengthens your performance across the entire exam.
In professional practice, IAM-related misconfigurations are among the most common root causes of security breaches. Weak passwords, over-provisioned accounts, orphaned service accounts, and missing MFA are recurring themes in breach reports. The Security+ certification validates that you understand these risks and can implement appropriate controls.
Key Identity Management Concepts to Master
Authentication Factors
Something you know (passwords, PINs, security questions), something you have (smart cards, hardware tokens, authenticator apps), something you are (fingerprint, facial recognition, retinal scan), somewhere you are (GPS, IP geolocation), and something you do (typing patterns, gait analysis). MFA requires two or more DIFFERENT factor categories.
Single Sign-On (SSO)
SSO allows users to authenticate once and access multiple applications without re-entering credentials. Benefits: reduced password fatigue, fewer help desk calls, centralized access control. Risks: single point of failure — if SSO credentials are compromised, all connected applications are exposed. Implement with MFA to mitigate this risk.
Federation Protocols
SAML 2.0 (XML-based enterprise SSO between identity and service providers), OAuth 2.0 (authorization framework for delegated API access using tokens), OpenID Connect (authentication layer on OAuth 2.0 for modern web/mobile), Kerberos (ticket-based authentication in Active Directory). Know the use case for each protocol.
Access Control Models
DAC (owner-controlled, flexible but less secure), MAC (label-based, military/government, most restrictive), RBAC (role-based, most common in enterprises), ABAC (attribute-based, most flexible — evaluates user, resource, action, and environment), Rule-Based (condition-based allow/deny). Each has distinct security properties.
Directory Services
LDAP provides hierarchical identity storage and query capability. Active Directory combines LDAP, Kerberos, DNS, and Group Policy. RADIUS and TACACS+ provide centralized authentication for network devices. LDAP uses port 389 (636 for LDAPS), RADIUS uses UDP 1812/1813, TACACS+ uses TCP 49.
Privileged Access Management
PAM solutions secure, monitor, and manage privileged accounts (admin, root, service accounts). Key features: password vaulting, session recording, just-in-time access, privilege elevation workflows, and credential rotation. PAM reduces insider threat risk and is required by many compliance frameworks.
Sample Identity Management Questions
Question 1: MFA Factor Categories
A company requires employees to log in using a password and a fingerprint scan. Which authentication approach does this represent?
A) Single-factor authentication B) Two-factor authentication C) Three-factor authentication D) Biometric authentication
Answer: B) Two-factor authentication — Password (something you know) + fingerprint (something you are) combines two different factor categories. Using two passwords would be single-factor (both "something you know"). "Biometric authentication" describes the method, not the factor count.
Question 2: Access Control Model Selection
A government agency requires that access to classified documents is determined by security clearance levels assigned by the system, not by individual users. Which access control model is in use?
A) DAC B) MAC C) RBAC D) ABAC
Answer: B) MAC (Mandatory Access Control) — MAC uses system-enforced labels and clearance levels. Users cannot change permissions — the system determines access based on clearance vs. classification. This is the standard for military and government classified systems.
Question 3: Federation Protocol
A company wants employees to use corporate credentials to access a third-party SaaS application using XML-based assertions. Which protocol should they implement?
A) OAuth 2.0 B) SAML 2.0 C) RADIUS D) Kerberos
Answer: B) SAML 2.0 — SAML uses XML-based security assertions between an Identity Provider and Service Provider for federated SSO. OAuth handles authorization (not authentication). RADIUS is for network device authentication. Kerberos is for internal AD authentication.
Question 4: Least Privilege Violation
An access review reveals a help desk technician has domain administrator privileges. Which security principle is being violated?
A) Separation of duties B) Need to know C) Least privilege D) Defense in depth
Answer: C) Least privilege — Help desk staff should only have permissions needed for their role, not domain admin rights. Least privilege means granting minimum necessary permissions. This over-provisioning creates unnecessary risk if the account is compromised.
Common Mistakes to Avoid
- Thinking two passwords = two-factor authentication — both are "something you know" (same category), making it single-factor with two steps
- Confusing SAML (authentication + authorization) with OAuth (authorization only) — OAuth does NOT authenticate users
- Mixing up RBAC and ABAC — RBAC assigns static role-based permissions; ABAC evaluates dynamic attributes per request
- Forgetting Kerberos uses tickets, not passwords — the KDC issues TGTs and service tickets for network authentication
- Ignoring service account security — elevated privileges, rarely rotated passwords, high-value targets for attackers
Study Checklist for Identity Management
- ☑ List all five authentication factor categories with examples
- ☑ Compare SAML, OAuth 2.0, OpenID Connect, and Kerberos protocols
- ☑ Explain all access control models (DAC, MAC, RBAC, ABAC, Rule-Based)
- ☑ Describe SSO benefits, risks, and implementation with MFA
- ☑ Diagram LDAP directory structure and Active Directory components
- ☑ Explain PAM concepts: vaulting, session recording, JIT access
- ☑ Define account lifecycle: provisioning, review, deprovisioning
- ☑ Know RADIUS vs. TACACS+ differences (protocol, ports, encryption)
- ☑ Understand least privilege, separation of duties, and need-to-know
- ☑ Review passwordless authentication methods (FIDO2, WebAuthn)
Frequently Asked Questions
How many identity management questions are on the Security+ exam?
IAM topics are under Domain 4 (~22%). Expect 12-15 questions on authentication, authorization, federation, and account management.
What authentication factors does the Security+ exam test?
Five categories: something you know, have, are, somewhere you are, and something you do. MFA requires factors from different categories.
What is the difference between SAML, OAuth, and OpenID Connect?
SAML: enterprise SSO (auth+authz). OAuth: API authorization only. OIDC: authentication layer on OAuth for modern apps.
What access control models should I know?
DAC (owner-controlled), MAC (label-based), RBAC (role-based), ABAC (attribute-based), Rule-Based. Know when each is appropriate.
What is the principle of least privilege?
Grant minimum necessary permissions. Limits compromise blast radius. Related: need-to-know, separation of duties, JIT access.
What account management practices are tested?
Lifecycle management, password policies, lockout, PAM, service accounts, access reviews, and offboarding procedures.
Practice Identity Management Questions Now
Our Smart Practice practice tests generate unlimited identity management questions tailored to the CompTIA Security+ exam. Get instant feedback with detailed explanations.
Start Free Practice Test →