IAM Interview Questions: What Identity Roles Actually Test

Identity interviews probe whether you understand protocols, can reason about trade-offs, and know how identity fails in the real world. Memorizing definitions is not enough; you should be able to explain the why. Here are the themes that come up, with what a strong answer demonstrates.

Protocol fundamentals

• Explain the difference between authentication and authorization. A strong answer is crisp and warns against the classic mistake of using an OAuth access token as proof of login. See authentication vs authorization.
• OAuth vs OIDC, and when you would use each. Know that OAuth is authorization, OIDC adds identity, and that the authorization code flow with PKCE is the default.
• SAML vs OIDC. Know why enterprises still demand SAML and when OIDC is the better choice.
• What is in a JWT, and how do you validate one? Signature, issuer, audience, expiry, and key rotation via JWKS.

Design and trade-offs

• Design SSO and lifecycle for a 5,000-person company. They want to hear SSO via OIDC/SAML, SCIM provisioning, MFA policy, and clean joiner-mover-leaver.
• RBAC, ABAC, or ReBAC for a given app? Reason from the access model, not the buzzword. See RBAC vs ABAC vs ReBAC.
• How would you roll out MFA without breaking the org? Sequence, legacy apps, recovery. See the MFA rollout playbook.

Security and incident reasoning

• How do attackers defeat MFA? Strong candidates cite MFA fatigue, help-desk social engineering, and session/token theft, then explain phishing-resistant defenses.
• Walk through a real identity breach. Pick one from the breach teardowns and explain root cause and the control that would have stopped it.

How to prepare

Build something, read the standards, study the breaches, and practice explaining trade-offs out loud. Depth and clear reasoning win these interviews.

Related

Career paths, how to become an identity engineer.