AZ-720 Dumps
AZ-720 Braindumps AZ-720 Real Questions AZ-720 Practice Test
AZ-720 Actual Questions
killexams.com
Troubleshooting Microsoft Azure Connectivity
https://killexams.com/pass4sure/exam-detail/AZ-720
HOTSPOT
A company uses Azure Active Directory (Azure AD) for authentication. The company synchronizes Azure AD with an on-premises Active Directory domain.
The company reports that an Azure AD object fails to sync. You need to determine which objects are not syncing.
Which troubleshooting steps should you use to diagnose the failure?
wrong Answer: B Explanation: Text
Description automatically generated
A company manages a solution that uses Azure Functions.
A function returns the following error: Azure Function Runtime is unreachable.
You need to troubleshoot the issue.
What are two possible causes of the issue?
The execution quota is full.
The company did not configure a timer trigger.
The storage account application settings were deleted.
The function key was deleted.
The storage account for the function was deleted.
Explanation:
Two possible causes of the issue where a function returns the error âAzure Function Runtime is unreachableâ are:
C. The storage account application settings were deleted.
E. The storage account for the function was deleted.
According to Microsoft, this issue occurs when the Functions runtime canât start. The most common reason for this is that the function app has lost access to its storage account. If that account is deleted or if the storage account application settings were deleted, your functions wonât work
https://learn.microsoft.com/en-us/azure/azure-functions/functions-recover-storage-account
A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group (NSG) with all of the subnets.
Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2.
You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet. You discover that FlowLog1 is not reporting outbound flow traffic.
You need to resolve the issue with FlowLog1. What should you do?
Enable FlowLog1 in a network security group associated with the subnet of VM1.
Configure the FlowTimeoutInMinutes property on VNet2 to a non-null value.
Configure the FlowTimeoutInMinutes property on VNet1 to a non-null value.
Configure FlowLog1 for version 2.
Explanation:
According to 2, when FastPath is enabled on an ExpressRoute gateway, network traffic between your on-premises network and your virtual network bypasses the gateway and goes directly to virtual machines in the virtual network. Therefore, if you want to capture outbound flow traffic from VM1, you need to enable flow logging on an NSG associated with the subnet of VM1.
HOTSPOT
A company attempts to implement just-in-time (JIT) access for a virtual machine (VM) named VM1. The company reports that they are unable to complete the process.
You need to implement JIT access and test the deployment. Which PowerShell cmdlets should you run?
wrong Answer: A Explanation:
Graphical user interface
Description automatically generated with low confidence
A company enables just-in-time (JIT) virtual machine (VM) access in Azure.
An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.
You need to determine why some VMs are not supported for JIT VM access. What should you conclude?
The administrator is using the Microsoft Defender for Cloud free tier.
The VMs were provisioned by using a classic deployment.
The administrator does not have the SecurityReader role.
The administrator does not have permissions to request JIT access to the VMs.
Explanation:
JIT VM access is only supported for VMs that are deployed using the Azure Resource Manager (ARM) deployment model. VMs that are provisioned using the classic deployment model are not compatible with JIT VM access and will be displayed under the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.
A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.
The company reports that the Azure VM backup job is failing. You need to troubleshoot the issue.
Solution: Create a new manual backup in Backup center. Does the solution meet the goal?
Yes
No
Explanation:
It is unlikely that creating a new manual backup in Backup center would resolve the issue of an Azure VM backup job failing after enabling backups for the VM through the Azure portal. To troubleshoot the issue, the administrator should first check the Azure VM backup job logs and identify the specific error message or code provided. This can help identify the underlying issue and the appropriate solution.
Therefore, the solution mentioned in the question is incorrect and the answer is B. No. Reference: Troubleshoot Azure VM backup failures (Microsoft documentation)
DRAG DROP
You manage an Azure point-to-site (P2S) VPN deployment. All users connect regularly from their personal Windows computer through a P2S VPN by using certificate-based authentication.
A new user attempts to establish a P25S VPN connection.
The user receives the following error message:
A certificate could not be found that can be used with this Extensible Authentication protocol. (Error 798) You need to assists the user with resolving the certificate issue.
What should you do? To answer, drag the appropriate locations to the correct task. Each location maybe used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
wrong Answer: B Explanation:
Provide the target certificate location for importing a Client Authentication key usage certificate file with the .pfx
extension. Current UserPersonal
This is the location where the client certificate should be installed on the userâs personal Windows computer. The client certificate is generated from the self-signed root certificate and then exported with the .pfx extension. The client certificate is used to authenticate the user to the Azure point-to-site VPN gateway1.
Provide the target certificate location for importing a Certificate Signing certificate key usage file with the .cer extension
Local ComputerTrusted Root Certification Authorities
This is the location where the root certificate should be installed on the userâs personal Windows computer. The root certificate is a self-signed certificate that is used to sign the client certificates. The root certificate public key data is also uploaded to Azure point-to-site VPN configuration. The root certificate is exported with the .cer extension1.
A company uses an Azure Virtual Network (VNet) gateway named VNetGW1. VNetGW1 connects to a partner site by using a site-to-site VPN connection with dynamic routing.
The company observes that the VPN disconnects from time to time. You need to troubleshoot the cause for the disconnections.
What should you verify?
The partner's VPN device and VNetGW1 are configured using the same shared key.
The partner's VPN device is configured for one VPN tunnel per subnet pair.
The public IP address of the partner's VPN device is configured in the local network gateway address space on VNetGW1.
The partner's VPN device and VNetGW1 are configured with the same virtual network address space.
Explanation:
To troubleshoot the cause for the VPN disconnections between VNetGW1 and the partner site, you should verify that the partnerâs VPN device is configured for one VPN tunnel per subnet pair.
A customer has an Azure Virtual Network named VNet1 that contains an internal standard SKU load balancer named LB1. The backend pool for LB1 includes the following virtual machines: VM1, VM2.
The customer configures a rule named Rul1 to load balance incoming HTTPS requests for VM1 and VM2. Rule1 is associated with an HTTPS health probe. The path for the probe is set to /.
The network adapters of VM1 and VM2 are associated with a network security named NSG1 that contains the following rules:
You connect to https://VM1 and https://VM2 from VNet1. Attempts to connect using the front-end IP address of LB1 are failing.
You need to resolve the issue. What should you do?
Change the health probe associated with Rule1 to use HTT
Add an NSG1 rule with the source set to VirtualNetwork.
Change the health probe associated with Rule1 to use TC
Add an NSG1 rule with the source set to AzureLoadBalancer.
Explanation:
According to Microsoft, Azure Load Balancer health probes originate from the IP address 168.63.129.16 and must not be blocked for probes to mark your instance as up. The AzureLoadBalancer service tag identifies this source IP address in your network security groups and permits health probe traffic by default1. https://learn.microsoft.com/en- us/azure/load-balancer/load-balancer-custom-probe-overview
A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).
An administrator receives an error that password writeback could not be enabled during the Azure AD Connect configuration.
The administrator observes the following event log error: Error getting auth token
You need to resolve the issue. What should you do?
Restart the Azure AD Connect service.
Configure Azure AD Connect using a global administrator account that is not federated.
Configure Azure AD Connect using a global administrator account with a password that is less than 256 characters.
Disable password writeback and then enable password writeback using the Azure AD Connect configuration.
Explanation:
The error message âError getting auth tokenâ occurs when you specify an incorrect password for the global administrator account provided at the beginning of the Azure AD Connect installation process.
To resolve this issue, you should check that you have specified the correct password for your global administrator account. If you have specified an incorrect password, update it and then restart the Azure AD Connect service
A company has virtual machines (VMs) in the following Azure regions: â West Central US
â Australia East
The company uses ExpressRoute private peering to provide connectivity to VMs hosted on each region and on- premises services.
The company implements global VNet peering between a VNet in each region. After configuring VNet peering, VM traffic attempts to use ExpressRoute private peering.
You need to ensure that traffic uses global VNet peering instead of ExpressRoute private peering. The solution must preserve existing on-premises connectivity to Azure VNets.
What should you do?
Add a user-defined route to the subnets route table.
Add a filter to the on-premises routers.
Add a second VNet to the virtual machines and configure VNet peering between the VNets.
Disable the ExpressRoute peering connections for one of the regions.
Explanation:
To ensure that traffic uses global VNet peering instead of ExpressRoute private peering, you should add a user-defined route to the subnets route table. According to 2, global VNet peering allows virtual networks across regions to communicate using private IP addresses as if they were in the same region. However, if there is an existing ExpressRoute private peering between two regions that also have global VNet peering enabled, traffic will prefer ExpressRoute over global VNet peering by default. To override this behavior and force traffic to use global VNet peering instead of ExpressRoute private peering for a specific subnet or virtual network gateway connection, you need to add a user-defined route with a next hop type of Virtual Network Peering.
HOTSPOT
A company deploys Azure Traffic Manager load balancing for an Azure App Service solution.
Load balancing performance is showing a degraded status after deployment, and new HTTPS probes are failing to reach the Traffic Manager endpoints.
You need to troubleshoot the probe failure.
How should you complete the PowerShell script?
wrong
Explanation:
Graphical user interface, text, application Description automatically generated
A company plans to use an Azure PaaS service by using Azure Private Link service. The azure Private Link service and an endpoint have been configured.
The company reports that the endpoint is unable to connect to the service. You need to resolve the connectivity issue.
What should you do?
Disable the endpoint network policies.
Validate the VPN device.
Approve the connection state.
Disable the service network policies.
Explanation:
To resolve the connectivity issue, you should approve the connection state. According to 1, Azure Private Link service requires manual approval of connection requests from private endpoints by default. You can approve or reject a connection request by using PowerShell cmdlets or Azure portal.
A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.
The company reports that the Azure VM backup job is failing. You need to troubleshoot the issue.
Solution: Install the VM guest agent by using administrative permissions. Does the solution meet the goal?
Yes
No
Explanation:
Yes, installing the VM guest agent by using administrative permissions could resolve the issue of the Azure VM backup job failing after enabling backups for the VM through the Azure portal. When backing up a virtual machine in Azure, it is necessary to install the VM guest agent to enable proper communication between the VM and the backup service. An administrative user account is required to install the agent. Therefore, the solution mentioned in the question is correct and the answer is A. Yes.
Reference: Back up a virtual machine in Azure (Microsoft documentation)
A company deploys ExpressRoute.
The company reports that there is an autonomous system (AS) number mismatch. You need to identify the AS number of the circuit.
Which PowerShell cmdlet should you run?
Get-AzExpressRouteCircuitPeeringConfig
Get-AzExpressRouteCircuitStats
Get-AzExpressRouteCircuitRouteTable
Get-AzExpressRouteCircuit
Explanation:
To identify the AS number of the circuit when there is an autonomous system (AS) number mismatch in ExpressRoute, you should run the Get-AzExpressRouteCircuit PowerShell cmdlet. Therefore, option D is correct. You should run the Get-AzExpressRouteCircuit PowerShell cmdlet.