The latest Troubleshooting Microsoft Azure Connectivity AZ-720 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Troubleshooting Microsoft Azure Connectivity AZ-720 exam and earn Troubleshooting Microsoft Azure Connectivity AZ-720 certification.
Table of Contents
- Question 91
- Exam Question
- Correct Answer
- Question 92
- Exam Question
- Correct Answer
- Question 93
- Exam Question
- Correct Answer
- Question 94
- Exam Question
- Correct Answer
- Question 95
- Exam Question
- Correct Answer
- Explanation
- Question 96
- Exam Question
- Correct Answer
- Question 97
- Exam Question
- Correct Answer
- Explanation
- Question 98
- Exam Question
- Correct Answer
- Question 99
- Exam Question
- Correct Answer
- Question 100
- Exam Question
- Correct Answer
Question 91
Exam Question
HOTSPOT (Drag & Drop is not supported)
A company has an Azure Active Directory (Azure AD) tenant. You are assigned the Owner role-based access control (RBAC) role of an Azure resource group named RG1.
An administrator grants a user named User1 the Contributor RBAC role for RG1. User1 receives an authorization error when attempting to create a Cosmos DB account in RG1.
The administrator verifies that they can create a Cosmos DB account in RG1. You need to troubleshoot the issue.
What should you do?
Requirement: Determine the cause of the issue.
Action:
- Review the resource locks of RG1.
- Review the deny assignments of RG1.
- Review the list of classic administrators for the subscription.
Requirement: Resolve the issue.
Action:
- Configure Azure resource locks.
- Configure RBAC role assignments.
- Configure Azure Blueprints locking mode.
Correct Answer
Determine the cause of the issue: Review the list of classic administrators for the subscription.
Resolve the issue: Configure Azure resource locks.
Question 92
Exam Question
A company has an Azure tenant. The company deploys an Azure Firewall named FW1 using the Standard SKU. You configure FW1 using classic firewall rules.
The company creates an application rule collection with the following settings:
Priority: 100
Action: Deny
Rule type: FQDN
Source type: IP address
Source: *
Protocol: http:80,https:443
Target FQDN: *.cloud.contoso.com
An engineer observes that traffic to console.cloud.conotoso.com is still allowed by FW1.
You need to determine why the traffic is allowed.
What should you review?
A. Application rules
B. Infrastructure rules
C. Network rules
D. Web categories
Correct Answer
B. Infrastructure rules
Question 93
Exam Question
HOTSPOT (Drag & Drop is not supported)
A customer creates an Azure resource group named RG1 in the East US region. RG1 contains the following resources:
| Resources | Name | Comments |
|---|---|---|
| Azure SQL Database logical server | sqlsvr1 | The server uses the public IP address 40.79.153.12 and hosts a database named DB1. |
| Azure Virtual Network | VNET1 | The network has the following subnets: subnet1 and subnet2. |
| Azure virtual machine (VM) | VM1 | The VM connects to subnet1 and uses the private IP address 192.168.1.100 |
The customer performs the following tasks:
Create a private endpoint for sqlsrv1 in subnet2 with the private IP address of 192.168.2.100.
Create a private DNS zone named privatelink.database.windows.net by using a single A record named sqlsvr1 and the IP address 192.168.2.100.
Disable public access by using the public endpoint for sqlsvr1.
The customer reports that connections from VM1 to DB1 are failing. The solution must allow connections from VM1 to DB1 without making platform-level changes.
You need to troubleshoot and resolve the issue. What should you do?
Requirement: Review effective routes for VM1’s network interface card to determine if routing from VM1 to DB1 is properly configured.
Action:
- Search for a next hop entry with the IP address of 192.168.2.100.
- Search for a next hop entry with the IP address of 40.79.153.12.
- Search for an entry with an IP address prefix that matches the Azure SQL Database service tag.
Requirement: Ensure that connections from VM1 to DB1 can succeed.
Action:
- Link the private DNS zone with VNET1.
- Update the routing table for VM1.
- Modify the default gateway setting for VM1.
Correct Answer
Review effective routes for VM1’s network interface card to determine if routing from VM1 to DB1 is properly configured: Search for a next hop entry with the IP address of 192.168.2.100.
Ensure that connections from VM1 to DB1 can succeed: Modify the default gateway setting for VM1.
Question 94
Exam Question
A company deploys a new file sharing application on four Standard_D2_v3 virtual machines (VMs) behind an Azure Load Balancer. The company implements Azure Firewall.
Users report that the application is slow during peak usage periods. An engineer reports that the peak usage for each VM is approximately 1 Gbps.
You need to implement a solution that support a minimum of 10 Gbps.
What should you do to increase the throughput?
A. Disable the Azure Firewall and implement network security groups in its place.
B. Request an increase in networking quotas.
C. Move two of the servers behind a separate load balancer and configure round robin routing in Traffic Manager.
D. Increase the size of the VM instance.
Correct Answer
C. Move two of the servers behind a separate load balancer and configure round robin routing in Traffic Manager.
Question 95
Exam Question
A company has an Azure Virtual Network gateway named VNetGW1. The company enables point-to-site connectivity on VNetGW1. An administrator configures VNetGW1 for the following:
- OpenVPN for the tunnel type.
- Azure certificate for the authentication type.
Users receive a certificate mismatch error when connecting by using a VPN client.
You need to resolve the certificate mismatch error.
What should you do?
A. Configure the tunnel type for IKEv2 and OpenVPN on VNetGW1.
B. Create a profile manually, add the server FQDN and reissue the client certificate.
C. Install a Secure Socket Tunneling Protocol (SSTP) VPN client on the user’s computers.
D. Configure preshared key for authentication on the VPN profile.
Correct Answer
B. Create a profile manually, add the server FQDN and reissue the client certificate.
Explanation
To resolve the certificate mismatch error, you should create a profile manually, add the server FQDN and reissue the client certificate. According to 1, when you use OpenVPN for tunnel type on point-to-site VPN connections, you need to ensure that your client certificates have the correct server FQDN as one of their subject alternative names (SANs). Otherwise, you will receive a certificate mismatch error when connecting by using a VPN client.
Question 96
Exam Question
A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).
An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error: Error getting auth token
You need to resolve the issue.
Solution: Disable password writeback and then enable password writeback.
Does the solution meet the goal?
A. No
B. Yes
Correct Answer
A. No
Question 97
Exam Question
A company has an Azure Active Directory (Azure AD) tenant. The company deploys Azure AD Connect to synchronize objects from their Active Directory Domain Services (AD DS) domain.
You observe that AD DS objects are not synchronizing to Azure AD.
You need to verify that the staging mode is enabled.
What should you do?
A. Review the history for the Azure AD Connect sync scheduled task.
B. Run this PowerShell cmdlet: Get-ADSyncScheduler
C. Review the triggers for the Azure AD Connect sync scheduled task.
D. Run this PowerShell cmdlet: Get-ADSyncConnetorRunStatus
Correct Answer
B. Run this PowerShell cmdlet: Get-ADSyncScheduler
Explanation
Azure AD Connect has a staging mode feature that allows you to install multiple sync servers for high availability or disaster recovery purposes. When staging mode is enabled on a sync server, it doesn’t export any changes to Azure AD or your on-premises AD DS environment.
To verify that staging mode is enabled on a sync server, you can run the Get-ADSyncScheduler PowerShell cmdlet and check the value of StagingModeEnabled property. If it is True, then staging mode is enabled and no synchronization will occur.
Question 98
Exam Question
A company has users in Azure Active Directory (Azure AD). The company enables the users to use Azure AD multi-factor authentication (MFA).
A user named User1 reports they receive the following error while setting up additional security verification settings for MFA: Sorry! We can’t process your request. Your session is invalid or expired. There was an error processing your request because your session is invalid or expired. Please try again.
You need to help the user complete the MFA setup.
What should you do?
A. Instruct the user to complete the setup process within 10 minutes.
B. From the Microsoft 365 Admin portal, clear the Block this user from signing in option for the user.
C. Instruct the user to clear their web browser cache.
D. Instruct the user to enter the correct verification code.
E. From the Azure AD portal, reset the user’s password.
Correct Answer
E. From the Azure AD portal, reset the user’s password.
Question 99
Exam Question
A customer has an Azure subscription. Microsoft Defender for servers is enabled for the subscription. The customer has not configured network security groups.
The customer configures a resource group named RG1 that contains the following resources:
- A virtual machine named VM1.
- A network interface named NIC1 that is attached to VM1.
The customer grants a user named Admin1 the following permission for RG1: Microsoft.Security/locations/jitNetworkAccessPolicies/write.
Admin1 reports that the JIT VM access pane in the Azure portal does not show any entries. When you view the same pane, VM1 appears on the Unsupported tab.
You need to ensure that Admin1 can enable just-in-time (JIT) VM access for VM1. The solution must adhere to the principle of least privilege.
Which three actions should you recommend be performed in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Actions:
- Assign Admin1 the Contributor role for RG1.
- Instruct Admin1 to associate an application security group with NIC1.
- Instruct Admin1 to associate a network security group with NIC1.
- Grant Admin1 the following permission for RG1: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action.
- Instruct Admin1 to create an application security group.
- Instruct Admin1 to create a network security group.
- Assign Admin1 the Owner role for RG1.
Correct Answer
1 – Instruct Admin1 to create an application security group.
2 – Instruct Admin1 to associate an application security group with NIC1.
3 – Instruct Admin1 to create a network security group.
Question 100
Exam Question
A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).
An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error: Error getting auth token
You need to resolve the issue.
Solution: Use a global administrator account with a password that is less than 256 characters to configure Azure AD Connect.
Does the solution meet the goal?
A. Yes
B. No
Correct Answer
A. Yes