[UPDATED 2023] Free Microsoft AZ-720 Exam Questions Self-Assess Preparation
AZ-720 Free Sample Questions to Practice One Year Update
Microsoft AZ-720 certification exam consists of multiple-choice questions and is designed to test the candidate's knowledge and skills in troubleshooting connectivity issues in Microsoft Azure. AZ-720 exam covers a wide range of topics, including virtual networking, network security, network monitoring, and troubleshooting tools and techniques. Candidates will be required to demonstrate their ability to diagnose and resolve connectivity issues in a Microsoft Azure environment.
Earning the Microsoft AZ-720 certification can demonstrate to potential employers that an IT professional has the skills and knowledge necessary to troubleshoot complex Azure connectivity issues. Troubleshooting Microsoft Azure Connectivity certification can also lead to career advancement opportunities and higher salaries in the field of Azure networking.
NEW QUESTION # 49
A company connects their on-premises network by using Azure VPN Gateway. The on-premises environment
includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).
A new subnet should be unreachable from the on-premises network.
You need to implement a solution.
Solution: Scale the gateway to Generation2.
Does the solution meet the goal?
- A. Yes
- B. No
Answer: A
NEW QUESTION # 50
A company uses an Azure Virtual Network (VNet) gateway named VNetGW1. VNetGW1 connects to a
partner site by using a site-to-site VPN connection with dynamic routing.
The company observes that the VPN disconnects from time to time.
You need to troubleshoot the cause for the disconnections.
What should you verify?
- A. The partner's VPN device is configured for one VPN tunnel per subnet pair.
- B. The partner's VPN device and VNetGW1 are configured with the same virtual network address space.
- C. The public IP address of the partner's VPN device is configured in the local network gateway address
space on VNetGW1. - D. The partner's VPN device and VNetGW1 are configured using the same shared key.
Answer: D
NEW QUESTION # 51
A company deploys an ExpressRoute circuit.
You need to verify accepted peering routes from the ExpressRoute circuit.
Which PowerShell cmdlet should you run?
- A. Get-AzExpressRouteCircuitRouteTable
- B. Get-AzExpressRouteCrossConnectionPeering
- C. Get-AzExpressRouteCircuitStats
- D. Get-AzExpressRouteCircuit
- E. Get-AzExpressRouteCircuitPeeringConfig
Answer: A
Explanation:
To verify accepted peering routes from the ExpressRoute circuit, you should run the PowerShell cmdlet Get-AzExpressRouteCircuitRouteTable. According to 1, this cmdlet returns a list of routes advertised by an ExpressRoute circuit peering. You can specify which peering type (AzurePrivatePeering, AzurePublicPeering, or MicrosoftPeering) and which route table (AdvertisedPublicPrefixes or AdvertisedPublicPrefixesState) you want to view.
NEW QUESTION # 52
A company is deploying Azure Bastion to provide secure clientless access to its Azure VMs. The company configures a network security group named NSG1.
During deployment, the following error displays: Network security group NSG1 does not have necessary rules for Azure Bastion Subnet AzureBastionSubnet.
You need to fix the inbound rules for NSG1.
How should you complete the configuration?
Answer:
Explanation:
NEW QUESTION # 53
A company is deploying Azure Bastion to provide secure clientless access to its Azure VMs. The company configures a network security group named NSG1.
During deployment, the following error displays: Network security group NSG1 does not have necessary rules for Azure Bastion Subnet AzureBastionSubnet.
You need to fix the inbound rules for NSG1.
How should you complete the configuration?
Answer:
Explanation:
NEW QUESTION # 54
You need to resolve the connectivity issue with the on-premises database named CosmosDB1.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
NEW QUESTION # 55
A company enables just-in-time (JIT) virtual machine (VM) access in Azure.
An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.
You need to determine why some VMs are not supported for JIT VM access.
What should you conclude?
- A. The VMs were provisioned by using a classic deployment.
- B. The administrator is using the Microsoft Defender for Cloud free tier.
- C. The administrator does not have the SecurityReader role.
- D. The VMs were recently provisioned by using an Azure Resource Manager deployment.
Answer: A
NEW QUESTION # 56
A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group (NSG) with all of the subnets.
Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2.
You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet.
You discover that FlowLog1 is not reporting outbound flow traffic.
You need to resolve the issue with FlowLog1.
What should you do?
- A. Create the storage account for FlowLog1 as a premium page blob.
- B. Configure the FlowTimeoutInMinutes property on VNet1 to a non-null value.
- C. Create the storage account for FlowLog1 as a premium block blob.
- D. Enable FlowLog1 in a network security group associated with the subnet of VM1.
Answer: D
Explanation:
when FastPath is enabled on an ExpressRoute gateway, network traffic between your on-premises network and your virtual network bypasses the gateway and goes directly to virtual machines in the virtual network. Therefore, if you want to capture outbound flow traffic from VM1, you need to enable flow logging on an NSG associated with the subnet of VM1.
NEW QUESTION # 57
A company has an Azure virtual network (VNet). An administrator creates a subet in the VNet named AzureSastionSubnet. The administrator deploys Azure Bastion to AzureBastionSubnet.
The administrator creates a default network security group named nsg-Bastion. The following error message display when the administrator attempts to assign nsg-Bastion to AzureBastionSubnet:
Network security group nsg-Bastion does not have necessary rules for Azure Bastion Subnet AzureBastionSubnet You need to resolve the issues with the inbound security rules.
Which port or set of ports should you configure?
Answer:
Explanation:
NEW QUESTION # 58
A company enables just-in-time (JIT) virtual machine (VM) access in Azure.
An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.
You need to determine why some VMs are not supported for JIT VM access.
What should you conclude?
- A. The client firewall does not allow port 22 on the VMs.
- B. A network security group is not associated with the VMs.
- C. The administrator is using the Microsoft Defender for Cloud free tier.
- D. The administrator does not have the SecurityReader role.
Answer: A
NEW QUESTION # 59
A company has an Azure tenant. The company deploys an Azure Firewall named FW1 using the Standard SKU. You configure FW1 using classic firewall rules.
The company creates an application rule collection with the following settings:
Priority: 100
Action: Deny
Rule type: FQDN
Source type: IP address
Source: *
Protocol: http:80,https:443
Target FQDN: *.cloud.contoso.com
An engineer observes that traffic to console.cloud.conotoso.com is still allowed by FW1.
You need to determine why the traffic is allowed.
What should you review?
- A. Infrastructure rules
- B. Application rules
- C. Web categories
- D. Network rules
Answer: D
Explanation:
To determine why the traffic is allowed, you should review network rules. According to 3, Azure Firewall uses network rules to allow or deny traffic based on source and destination IP address, port, and protocol. Network rules are applied before application rules and have higher priority than application rules. Therefore, if there is a network rule that allows traffic to console.cloud.contoso.com on port 80 or 443, it will override the application rule that denies traffic based on FQDN.
NEW QUESTION # 60
A company deploys a new application and places the application behind an Azure Application Gateway Web Application Firewall (WAF).
A user with client IP 203.0.113.26 reports that they cannot access the application.
You need to troubleshoot the issue.
How should you complete the query?
Answer:
Explanation:
NEW QUESTION # 61
A company has an Azure Active Directory (Azure AD) tenant. The company deploys Azure AD Connect to synchronize users from an Active Directory Domain Services (AD DS).
The synchronization of a user object is failing.
You need to troubleshoot the failing synchronization by using a built-in Azure AD Connect troubleshooting task.
Which two pieces of information should you collect before you start troubleshooting?
- A. Object distinguished name
- B. Object globally unique identifier
- C. Azure AD connector name
- D. Object common name
- E. AD connector name
Answer: B,C
NEW QUESTION # 62
A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group (NSG) with all of the subnets.
Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2.
You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet.
You discover that FlowLog1 is not reporting outbound flow traffic.
You need to resolve the issue with FlowLog1.
What should you do?
- A. Configure the FlowTimeoutInMinutes property on VNet1 to a non-null value.
- B. Create the storage account for FlowLog1 as a premium block blob.
- C. Create the storage account for FlowLog1 as a premium page blob.
- D. Enable FlowLog1 in a network security group associated with the subnet of VM1.
Answer: C
NEW QUESTION # 63
A company has an Azure Active Directory (Azure AD) tenant. The company deploys Azure AD Connect to synchronize users from an Active Directory Domain Services (AD DS).
The synchronization of a user object is failing.
You need to troubleshoot the failing synchronization by using a built-in Azure AD Connect troubleshooting task.
Which two pieces of information should you collect before you start troubleshooting?
- A. AD connector name
- B. Object distinguished name
- C. Azure AD connector name
- D. Object common name
- E. Object globally unique identifier
Answer: A,B
Explanation:
the two pieces of information that should be collected before starting to troubleshoot the failing synchronization by using a built-in Azure AD Connect troubleshooting task are: B. AD connector name E. Object distinguished name Azure AD Connect is a tool used to synchronize users from an on-premises Active Directory Domain Services (AD DS) to Azure AD. When troubleshooting synchronization issues, it is important to have information about the object that is failing to synchronize. The AD connector name refers to the name of the connector used to connect to the on-premises AD DS. The object distinguished name refers to the unique identifier of the object in the on-premises AD DS. Having this information can help identify and resolve synchronization issues.
NEW QUESTION # 64
A company uses an Azure Backup agent to back up specific files and folder from an Azure virtual machine (VM) and an on-premises VM.
An administrator reports that the backup job fails on both VMs. Errors are returned in Microsoft Azure Recovery Services (MARS).
You need to troubleshoot the backup issues.
Which troubleshooting solution should you use?
Answer:
Explanation:
NEW QUESTION # 65
A customer creates an Azure resource group named RG1 in the East US region. RG1 contains the following resources:
The customer performs the following tasks:
Create a private endpoint for sqlsrv1 in subnet2 with the private IP address of 192.168.2.100.
Create a private DNS zone named privatelink.database.windows.net by using a single A record named sqlsvr1 and the IP address 192.168.2.100.
Disable public access by using the public endpoint for sqlsvr1.
The customer reports that connections from VM1 to DB1 are failing. The solution must allow connections from VM1 to DB1 without making platform-level changes.
You need to troubleshoot and resolve the issue.
What should you do?
Answer:
Explanation:
NEW QUESTION # 66
You need to resolve the Azure virtual machine (VM) deployment issues.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
NEW QUESTION # 67
A company implements Windows and Linux VMs in an Azure Virtual Network. The company plans to apply routing changes to the virtual network.
You need to determine the impact of these changes on network latency affecting applications that use TCP and UDP traffic. The solution must provide the highest level of accuracy.
Which tools should you use?
Answer:
Explanation:
NEW QUESTION # 68
A company connects their on-premises network by using Azure VPN Gateway. The on-premises environment
includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).
A new subnet should be unreachable from the on-premises network.
You need to implement a solution.
Solution: Configure subnet delegation.
Does the solution meet the goal?
- A. No
- B. Yes
Answer: A
NEW QUESTION # 69
A company enables just-in-time (JIT) virtual machine (VM) access in Azure.
An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.
You need to determine why some VMs are not supported for JIT VM access.
What should you conclude?
- A. The VMs were provisioned by using a classic deployment.
- B. The administrator is using the Microsoft Defender for Cloud free tier.
- C. The administrator does not have the SecurityReader role.
- D. The administrator does not have permissions to request JIT access to the VMs.
Answer: A
Explanation:
JIT VM access is only supported for VMs that are deployed using the Azure Resource Manager (ARM) deployment model. VMs that are provisioned using the classic deployment model are not compatible with JIT VM access and will be displayed under the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.
NEW QUESTION # 70
A company enables just-in-time (JIT) virtual machine (VM) access in Azure.
An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.
You need to determine why some VMs are not supported for JIT VM access.
What should you conclude?
- A. The administrator is using the Microsoft Defender for Cloud free tier.
- B. A network security group is not associated with the VMs.
- C. The administrator does not have the SecurityReader role.
- D. The client firewall does not allow port 22 on the VMs.
Answer: A
Explanation:
Topic 1, Contoso Ltd,
Background
Contoso, Ltd. is a financial services company based in Boston. MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.
General
Contoso's Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region. Users connect to resources from Windows 10 computers by using the built-in SSTP VPN software.
Recent changes
The company implements the following changes:
Extend the IP address space of VNet1 and create subnets in the new IP address space.
Allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.
Enable a service endpoint on contosostoragel to provide direct access to the storage content from all Configure all business critical VM workloads to use encryption keys stored in all five key vaults.
Enable a private endpoint on CosmbsDBT to provide direct access to its content from VNetl.
Develop an automated process to deploy Azure VMs by using A2ure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.
Deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.
Deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.
Requirements
General Requirements
You must adhere to the principle of least privilege when granting access to resources.
Reverse DNS lookup
You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmnameJ.contoso.com for all three virtual networks.
Public DNS lookup
You must verify that the Azure public DNS rone is currently used to resolve DNS name requests for www.contoso.com and recommend.a solution that uses the Azure public DNS zone.
Windows VPN
You must verify if VPN client connectivity issues are related to routing and recommend a solution.
MacOS VPN
You must verify if Remote ID and local ID VPN client settings on the MAcOS devices are properly configured.
Azure Storage connectivity
You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on- premises connections to contosostorage are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.
Cosmos DB connectivity
You must verify if on-premises connections to ContosoDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.
DNS issues
Reverse DNS lookups from VNetl return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net. Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format
[vmname].internal.cloudapp.net.
VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.
Public DNS lookup
You are notified that name resolution requests for www,contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.
Connectivity and routing issues
Window VPN
Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.
Sales department VPN.
The sales department users connect by using the MacOs VPN client.
Azure Storage Connectivity
Server Message Block (SMB)-mount from VMs on VNet2 and VNet3 to file shares In contosostorage1 are failing Azure Storage Explorer connection using access keys from on-premses computer to contosostorage1 are failing Cosmos DB connectivity You observe that connections to ConsomosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.
Azure Key vault
Access attempts to Azure Key vault oy VM workloads intermittently fail with the HTTP response code 429. You must identify the reason for the failures and recommend a solution.
SharePoint
SharePoint In VNet2
SharePoint traffic between tiers is blocked by NSGs which is causing application failures. You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.
SharePoint in VNet3.
ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3. You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.
Permission issues
Azure Biccp
You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.
Data engineering team
You must identify the role-based access control (RBAQ roles required by the data engineering team to access the storage account by using Azure portal. The team requires minimum permissions to backup and restore blobs in contosostorage1. The Contoso data engineering tearn.js unable to view the contosostorage1 account in the Azure portal.
Azure VM deployment
Azure VM deployments that uses Azure Bicep are failing with an authorization error. The error indicates three are insufficient access permissions retrieve password of the local administrator account in the key vault.
VM1 and VM2
RT12 must be configured to route internal traffic from VM1 through VM2. You observe that internet traffic from VM1 is routed directly to the internet.
VM2
You configure VM2 to route internet traffic from VM1. After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You that routing for VM2 is configured correctly.
NEW QUESTION # 71
You need to troubleshoot the CosmosDB1 issues from the on-premises environment. What should you use?
- A. route command
- B. Network Watcher next hop diagnostic tool
- C. Network Watcher Connection troubleshoot diagnostic tool
- D. nslookup command
Answer: C
Explanation:
This tool helps you troubleshoot network connectivity issues from a virtual machine to a given endpoint. It tests for reachability from the virtual machine to the endpoint and provides information about why a connection fails1. In this case, you can use this tool to troubleshoot the connectivity issues from the on-premises environment to CosmosDB1.
NEW QUESTION # 72
......
Schedule exam
Languages: English
Retirement date: none
This exam measures your ability to accomplish the following technical tasks: troubleshoot business continuity issues; troubleshoot hybrid and cloud connectivity issues; troubleshoot Platform as a Service issues; troubleshoot authentication and access control issues; troubleshoot networks; and troubleshoot VM connectivity issues.
Real exam questions are provided for Microsoft Certified: Azure Support Engineer for Connectivity Specialty tests, which can make sure you 100% pass: https://passcollection.actual4labs.com/Microsoft/AZ-720-actual-exam-dumps.html