AZ-720 Troubleshooting Microsoft Azure Connectivity Dumps
If you are looking for free AZ-720 dumps than here we have some sample question answers available. You can prepare from our Microsoft AZ-720 exam questions notes and prepare exam with this practice test. Check below our updated AZ-720 exam dumps.
DumpsGroup are top class study material providers and our inclusive range of AZ-720 Real exam questions would be your key to success in Microsoft Microsoft Certified: Cybersecurity Architect Expert Certification Exam in just first attempt. We have an excellent material covering almost all the topics of Microsoft AZ-720 exam. You can get this material in Microsoft AZ-720 PDF and AZ-720 practice test engine formats designed similar to the Real Exam Questions. Free AZ-720 questions answers and free Microsoft AZ-720 study material is available here to get an idea about the quality and accuracy of our study material.
Sample Question 4
A company deploys a new file sharing application on four Standard_D2_v3 virtualmachines (VMs) behind an Azure Load Balancer. The company implements Azure Firewall.Users report that the application is slow during peak usage periods. An engineer reportsthat the peak usage for each VM is approximately 1 Gbps.You need to implement a solution that support a minimum of 10 Gbps.What should you do to increase the throughput?
A. Request an increase in networking quotas. B. Increase the size of the VM instance. C. Disable the Azure Firewall and implement network security groups in its place. D. Move two of the servers behind a separate load balancer and configure round robinrouting in Traffic Manager.
Answer: B
Explanation: According to the given scenario, the application deployed on four
Standard_D2_v3 virtual machines behind an Azure Load Balancer is experiencing slow
performance during peak usage periods It is reported that the peak usage for each VM is
approximately 1 Gbps, and the goal is to increase the throughput to a minimum of 10 Gbps.
To achieve this goal, the best option is to increase the size of the VM instance. The
Standard_D2_v3 virtual machine size has a maximum network bandwidth of 1 Gbps, so
increasing the size of the VM instance to a higher tier, such as Standard_D8_v3 or higher,
will provide more network bandwidth and improve the application's performance.
Option A, requesting an increase in networking quotas, may not be sufficient to achieve the
required network bandwidth.
Option C, disabling the Azure Firewall and implementing network security groups, may not
have a significant impact on the network bandwidth.
Option D, moving two of the servers behind a separate load balancer and configuring
round-robin routing in Traffic Manager, may improve availability and performance but will
A company enables just-in-time (JIT) virtual machine (VM) access in Azure.An administrator observes a list of VMs on the Unsupported tab of the JIT VM access pagein the Microsoft Defender for Cloud portal.You need to determine why some VMs are not supported for JIT VM access.What should you conclude?
A. The administrator is using the Microsoft Defender for Cloud free tier. B. The VMs were provisioned by using a classic deployment. C. The VMs were recently provisioned by using an Azure Resource Manager deployment. D. The administrator does not have the SecurityReader role.
Answer: B
Explanation: The Unsupported tab on the Just-in-Time VM access page in the Microsoft
Defender for Cloud portal indicates that the VMs were provisioned by using a classic
deployment Classic deployments were used in Azure before the deployment model was
updated to Azure Resource Manager, which is now the preferred model for deploying and
managing resources in Azure.
Sample Question 6
A company has an ExpressRoute gateway between their on-premises site and Azure. TheExpressRoute gateway is on a virtual network named VNet1. The company enablesFastPath on the gateway. You associate a network security group (NSG) with all of thesubnets.Users report issues connecting to VM1 from the on-premises environment. VM1 is on avirtual network named VNet2. Virtual network peering is enabled between VNet1 andVNet2.You create a flow log named FlowLog1 and enable it on the NSG associated with thegateway subnet.You discover that FlowLog1 is not reporting outbound flow traffic.You need to resolve the issue with FlowLog1.What should you do?
A. Configure FlowLog1 for version 2. B. Create the storage account for FlowLog1 as a premium block blob. C. Configure the FlowTimeoutInMinutes property on VNet2 to a non-null value. D. Enable FlowLog1 in a network security group associated with the network interface ofVM1.
Answer: A
Explanation: According to 1, flow logging using ExpressRoute Traffic Collector requires version 2 of flow logs. Version 1 of flow logs does not support ExpressRoute Traffic
Collector. You can configure the version of flow logs when you enable them on a network
security group (NSG).
Sample Question 7
A company deploys Azure Bastion to connect to their virtual machine (VM) infrastructure.An engineer attempts to connect to a Windows VM by using Remote Desktop Protocol(RDP). The connection fails.You need to troubleshoot the issue.Which two actions should you perform?
A. Monitor traffic with the following PowerShell cmdlet Test- AzNetworkWatcherConnectivity. B. Configure Azure Bastion with static assignment. C. Apply a network security group on the same subnet as Azure Bastion. D. Run the Network Watcher Connection troubleshoot service. E. Monitor traffic with the following PowerShell cmdlet New-AzNetworkWatcherFlowLog.
Answer: A,D
Explanation: The two actions that should be performed to troubleshoot the issue of a
failed RDP connection to a Windows VM through Azure Bastion are A) Monitor traffic with
the PowerShell cmdlet 'Test-AzNetworkWatcherConnectivity' and D) Run the Network
Watcher Connection troubleshoot service. A) Monitor traffic with the PowerShell cmdlet 'Test-AzNetworkWatcherConnectivity': This
cmdlet can be used to verify connectivity between two endpoints in Azure. By monitoring
traffic, you can identify the root cause of issues with the VM's connectivity through Azure
Bastion.
D) Run the Network Watcher Connection troubleshoot service: This service can help
identify the root cause of connectivity issues with Azure resources. It analyses network
traffic to identify common misconfiguration issues and provides guidance on how to resolve
A company has on-premises application server that runs in System Center Virtual MachineManager (SCVMM). The company configures Azure Site Recovery.An administrator at the company reports that they receive an error message. The errormessage indicates that there are replication issues.You need to troubleshoot the issue.Which log should you review?
A. Network Security Group flow log B. Azure Monitor log C. Network Watcher diagnostic log D. SCVMM debug log
Answer: D
Explanation: when you use Azure Site Recovery to replicate on-premises VMs that run in
SCVMM, you need to check the SCVMM debug log for any errors or warnings related to
replication. The SCVMM debug log is located at %SYSTEMDRIVE%\ProgramData\VMMLogs\SCVMM.debugtrace.log on the SCVMM
server.
Sample Question 9
A company uses an Azure Virtual Network (VNet) gateway named VNetGW1. VNetGW1connects to a partner site by using a site-to-site VPN connection with dynamic routing.The company observes that the VPN disconnects from time to time.You need to troubleshoot the cause for the disconnections.What should you verify?
A. The partner's VPN device and VNetGW1 are configured using the same shared key. B. VNetGW1 has exceeded the subnet Security Association pairs. C. The partner's VPN device and VNetGW1 are configured with the same virtual networkaddress space. D. The public IP address of the partner's VPN device is configured in the local networkgateway address space on VNetGW1.
Answer: A
Explanation: To troubleshoot the cause for the VPN disconnections between VNetGW1
and the partner site, you should verify that the partner’s VPN device and VNetGW1 are
configured using the same shared key.
Sample Question 10
A company connects their on-premises network by using Azure VPN Gateway. The onpremisesenvironment includes three VPN devices that separately tunnel to the gateway byusing Border Gateway Protocol (BGP).A new subnet should be unreachable from the on-premises network.You need to implement a solution.Solution: Configure a route table with route propagation disabled.Does the solution meet the goal?
A. Yes B. No
Answer: B
Explanation: The proposed solution of configuring a route table with route propagation
disabled will not meet the goal of making the new subnet unreachable from the onpremises
network.
Route tables in Azure are used to control traffic flow within a virtual network and between
virtual networks. By default, each subnet in an Azure virtual network is associated with a
system-generated route table, which contains a default route that enables traffic to flow to
and from all the subnets within the virtual network.
Disabling route propagation in a custom route table would prevent any new routes from
being propagated to the associated subnets. However, it would not prevent traffic from the
on-premises network from reaching the new subnet since traffic between the virtual
network and the on-premises network would still use the default route in the systemgenerated
route table.
To meet the goal of making the new subnet unreachable from the on-premises network,
you would need to create a new route table with a route that sends traffic destined for the
new subnet to a null interface. This would cause the traffic to be dropped and the subnet to
be effectively unreachable from the on-premises network.
Reference:
Microsoft documentation on how to create a custom route table and associate it with a
A company deploys an Azure Virtual Network gateway. The company connects to thegateway by using a site-to-site VPN connection.The company's on-premises VPN gateway is reporting an issue with the Phase 1 proposalfrom the Azure Virtual Network gateway.You need to troubleshoot the issue by reviewing the logs.Which log should you analyze?
A. P2SDiagnosticLog B. GatewayDiagnosticLog C. IKEDiagnosticLog D. RouteDiagnosticLog
Answer: C
Explanation: To troubleshoot an issue with the Phase 1 proposal from an Azure Virtual
Network gateway when connecting to a site-to-site VPN connection by reviewing logs, you
should analyze the IKE Diagnostic log. Therefore, option C is correct. You should analyze
the IKE Diagnostic log.
Sample Question 12
A company connects their on-premises network by using Azure VPN Gateway. The onpremisesenvironment includes three VPN devices that separately tunnel to the gateway byusing Border Gateway Protocol (BGP).A new subnet should be unreachable from the on-premises network.You need to implement a solution.Solution: Disable peering on the virtual network.Does the solution meet the goal?
A. Yes B. No
Answer: B
Explanation: Disabling peering on the virtual network will not prevent the on-premises network from reaching the new subnet. Virtual network peering is a way to connect virtual
networks and allows resources in both virtual networks to communicate with each other
securely. It does not affect connectivity between on-premises and virtual network
resources.
A better solution would be to create a network security group (NSG) and associate it with
the new subnet. The NSG can be configured to deny traffic from the on-premises network
to the new subnet. This way, the new subnet will be isolated from the on-premises network.
A company implements self-service password reset (SSPR).After a firewall upgrade at the company's datacenter, SSPR stops working.You need to resolve the issue.Which two URLs must be present on the firewalls to allow SSPR to connect?
A. *.update.microsoft.com B. *.servicebus.windows.net C. *.passwordreset. microsoftonline.com D. *.svc.ms E. *.adl.windows.com
Answer: C,D
Explanation: Self-service password reset (SSPR) is a feature in Azure Active Directory
(Azure AD) that allows users to reset their passwords on their own. To ensure that SSPR
works correctly, certain URLs must be accessible from the user’s network. These URLs
include *.passwordreset.microsoftonline.com and *.svc.ms, which are used for SSPR
authentication and service communications.
Sample Question 14
A company has two subnet in a virtual network named VNe1m the subnet are namedSubnetA and SubnetB. The company uses a site-to-site (S2) VPN in SubnetB to connectits on-premises environment to Azure.You deploy an Azure SQL Database named SQL1. You configure a service endpoint inSubnetA for Microsft.SqL
A. Configure a DNS record for the private IP address of SQL1. B. Configure a network security group (NSG) to allow port 1433 on SubnetA C. Configure a service endpoint on SubnetB. D. Deploy a private endpoint for SQL1. E. Deploy an Azure ExpressRoute circuit for VNet1.
Answer: D
Explanation: To allow the on-premises environment to access the Azure SQL Database
named SQL1 over a site-to-site (S2S) VPN in SubnetB, you should deploy a private
endpoint for SQL1. A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Link allows you to access
Azure PaaS services (for example, Azure Storage and SQL Database) and Azure-hosted
customer/partner services over a private endpoint in your virtual network. So the correct
answer is D. Deploy a private endpoint for SQL1.
You can find more information about private endpoints in the official Microsoft
documentation.
Sample Question 15
A company configures an Azure site-to-site VPN between an on-premises network and anAzure virtual network.The company reports that after completing the configuration, the VPN connection cannot be established.You need to troubleshoot the connection issue.What should you do first?
A. Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey. B. Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionVpnDeviceConfigScript. C. Verify the AzureRoot.cer file exists. D. Verify the AzureClient.pfx file exists.
Answer: A
Explanation: To troubleshoot the connection issue, you should do first identify the shared
key by running this PowerShell cmdlet: Get-
AzVirtualNetworkGatewayConnectionSharedKey. According to 1, this cmdlet returns the
shared key that is used for authentication between an Azure virtual network gateway and a
local network gateway. You can use this cmdlet to verify that the shared key matches on
both sides of the VPN connection.
Therefore, you should choose A. Identify the shared key by running this PowerShell cmdlet:
Get-AzVirtualNetworkGatewayConnectionSharedKey.
Sample Question 16
A company hosts a network virtual appliance (VNA) and Azure Route Server in differentvirtual networks (VNets). Border Gateway Protocol (BGP) peering is enabled between theNVA loses internet connectivity after it advertises the default route to the route server.You need to resolve the problem with the NVA.What should you do?
A. Configure a user-defined route on the NVA subnet. B. Move the route server to the same VNet as the NVA. C. Configure a unique autonomous system number (ASN) on the NVA. D. Configure a public IP address on the route server.
Answer: C
Explanation: According to 2, when using Azure Route Server with network virtual
appliances (NVAs), you need to ensure that each NVA has a unique ASN that is different
from the route server’s ASN and any other BGP peer’s ASN. Otherwise, there will be
routing issues due to BGP loop prevention mechanisms.
You can configure the ASN on the NVA by using its own configuration tools or
commands. For more information, see 2.
Sample Question 17
A company migrates an on-premises Windows virtual machine (VM) to Azure. Anadministrator enables backups for the VM by using the Azure portal.The company reports that the Azure VM backup job is failing.You need to troubleshoot the issue.Solution: Enable replication and create a recovery plan for the backup vault.Does the solution meet the goal?
A. Yes B. No
Answer: B
Explanation: The solution does not meet the goal. Enabling replication and creating a
recovery plan for the backup vault is not relevant to troubleshooting an Azure VM backup job failure. The administrator should troubleshoot the issue by checking the VM's disk
configuration, checking the status of the VM guest agent, and ensuring that the backup
policy is configured correctly.
Sample Question 18
A company uses an Azure VPN gateway to connect to their on-premises environment.The company's on-premises VPN gateway is used by several services. One service isexperiencing connectivity issues.You need to minimize downtime for all services and resolve the connectivity issue.Which three actions should you perform?
A. Configure the hashing algorithm to be different on both gateways. B. Rest the VPN gateway. C. Configure the pre-shared key to be the same on the Azure VPN gateway and the onpremisesVPN gateways. D. Rest the VPN connection. E. Configure the hashing algorithm to be the same on both gateways. F. Configure the pre-shared key to be different on the Azure VPN gateway and the onpremisesVPN gateways.
Answer: C,D,E
Explanation: the three actions that should be performed to minimize downtime for all
services and resolve the connectivity issue are: C. Configure the pre-shared key to be the
same on the Azure VPN gateway and the on-premises VPN gateways. D. Reset the VPN
connection. E. Configure the hashing algorithm to be the same on both gateways.
Sample Question 19
A company uses Azure AD Connect. The company plans to implement self-servicepassword reset (SSPR).An administrator receives an error that password writeback cloud not be enabled during theAzure AD Connect configuration. The administrator observes the following event log error:Error getting auth tokenYou need to resolve the issue.Solution: Disable password writeback and then enable password writeback.Does the solution meet the goal?
A. Yes B. No
Answer: B
Explanation: The solution of disabling and re-enabling password writeback may not meet
the goal of resolving the issue. According to 1, there are other steps that you should try
before disabling and re-enabling password writeback, such as:
Confirm network connectivity
Restart the Azure AD Connect Sync service
Install the latest Azure AD Connect release
Troubleshoot password writeback
If none of these steps work, then you can try to disable and re-enable password writeback
as a last resort.
Sample Question 20
A company has users in Azure Active Directory (Azure AD). The company enables theusers to use Azure AD multi-factor authentication (MFA).A user named User1 reports they receive the following error while setting up additionalsecurity verification settings for MFA:Sorry! We can't process your request. Your session is invalid or expired. There was anerror processing your request because your session is invalid or expired. Please try again.You need to help the user complete the MFA setup.What should you do?
A. From the Microsoft 365 Admin portal, clear the Block this user from signing in option forthe user. B. Instruct the user to complete the setup process within 10 minutes. C. Instruct the user to enter the correct verification code. D. Instruct the user to clear their web browser cache. E. From the Azure AD portal, reset the user's password.
Answer: D
Explanation: this error can occur when there are issues with cookies or cached data in the
web browser. To resolve this issue, you can instruct the user to clear their web browser
cache and try again.
Sample Question 21
A company has an Azure Active Directory (Azure AD) tenant. The company provisions anAzure Active Directory Domain Services (Azure AD DS) instance.Users report that they are unable to sign into Azure AD DS after being provisioned fromAzure AD. You verify the user accounts exist in Azure AD DS.You need to resolve the issue.What should you do?
A. Delete the Azure application named AzureActiveDirectoryDomainControllerServices andthen enable Azure AD DS again. B. Deploy Azure AD Connect. C. Delete the Azure application named Azure AD Domain Services Sync and then enableAzure AD DS again. D. Instruct the users to change their password in Azure AD.
Answer: D
Explanation: Azure AD doesn’t generate or store password hashes in the format that’s
required for NTLM or Kerberos authentication until you enable Azure AD DS for your
tenant. Therefore, Azure AD can’t automatically generate these NTLM or Kerberos
password hashes based on users’ existing credentials.
For cloud-only environments with no on-premises synchronization, you need to instruct
users to change their password in Azure AD after enabling Azure AD DS. This will generate
the required password hashes and sync them to Azure AD DS within 20 minutes.
Exam Code: AZ-720Exam Name: Troubleshooting Microsoft Azure ConnectivityLast Update: May 20, 2024Questions: 119
