Microsoft Microsoft Certified: Azure Support Engineer for Connectivity Specialty AZ-720 Questions & Answers

• Question 31:

  A company plans to implement ExpressRoute by using the provider connectivity model.

  The company creates an ExpressRoute circuit. You are unable to connect to resources through the circuit.

  You need to determine the provisioning state of the service provider.

  Which PowerShell cmdlet should you run?

  A. Get-AzExpressRouteCircuitPeeringConfig

  B. Get-AzExpressRouteCircuitRouteTable

  C. Get-AzExpressRouteCircuitConnectionConfig

  D. Get-AzExpressRouteCircuit

  E. Get-AzExpressRouteCircuitARPTable

  Correct Answer: D

  https://learn.microsoft.com/en-us/powershell/module/az.network/get-azexpressroutecircuit?view=azps-9.3.0#example-1-get-the-expressroute-circuit

  The output of command Get-AzExpressRouteCircuit looks like this : Name : test ResourceGroupName : testrg Location : southcentralus Id : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/pro viders/Microsoft.Network/expressRouteCircuits/test Etag : W/"00000000-0000-0000-0000-000000000000" ProvisioningState : Succeeded

• Question 32:

  A company has an Azure point-to-site virtual private network (VPN) that uses certificate- based authentication.

  A user reports that the following error message when they try to connect to the VPN by using a VPN client on a Windows 11 machine:

  1.

  A certificate could not be found

  2.

  You need to resolve the issue. Which three actions should you perform?

  A. Configure an Azure Active Directory (Azure AD) tenant.

  B. Install a root certificate on the user's device.

  C. Generate a root certificate.

  D. Install a client certificate on the VPN gateway.

  E. Enable Azure AD authentication on the gateway

  F. Generate a client certificate.

  G. Install a client certificate on the user's device.

  Correct Answer: BFG

• Question 33:

  A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).

  An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error:

  Error getting auth token

  You need to resolve the issue.

  Solution: Disable password writeback and then enable password writeback.

  Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  The solution of disabling and re-enabling password writeback may not meet the goal of resolving the issue. According to 1, there are other steps that you should try before disabling and re-enabling password writeback, such as:

  1.

  Confirm network connectivity

  2.

  Restart the Azure AD Connect Sync service

  3.

  Install the latest Azure AD Connect release

  4.

  Troubleshoot password writeback

  If none of these steps work, then you can try to disable and re-enable password writeback as a last resort.

• Question 34:

  A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.

  The company reports that the Azure VM backup job is failing.

  You need to troubleshoot the issue.

  What should you do?

  A. Create a new manual backup in Backup center.

  B. Run chkdsk on the VM.

  C. Configure the retention range of the current backup policy for the VM.

  D. Install the VM guest agent with administrative permissions.

  E. Enable replication and create a recovery plan for the backup vault.

  Correct Answer: D

  According to Microsoft Azure's troubleshooting documentation, one of the steps to troubleshoot backup failures on Azure virtual machines is to check the Azure VM Guest Agent service health. You should ensure that the Azure VM Guest Agent service is started and up-to-date 1. On a Windows VM, you can navigate to services.msc and ensure that the Windows Azure VM Guest Agent service is up and running. Also, ensure that the latest version is installed 2

• Question 35:

  A company uses Azure Site Recovery (ASR) to replicate and recover Azure virtual machines (VM) between Azure regions.

  An administrator receives the following warning from ASR about a VM that uses P10 disks:

  Data change rate beyond supported limits

  You add OS Disk Write Bytes/Sec and Data Disk Write Bytes/Sec to the list of metrics for monitoring. You discover that the VM consistently has a data churn of greater than 8 MB/s but less than 10 MB/s.

  You need to resolve the issue.

  What should you do?

  A. Uninstall the Volume Shadow Copy Service (VSS) Provider service.

  B. Use AzCopy to upload data to a cache storage account.

  C. Create a network service endpoint in a virtual network.

  D. Upgrade the target storage disk.

  Correct Answer: D

  Azure Site Recovery has limits on data change rates depending on the type of disk used for replication. If a VM has a data change rate higher than the supported limit for its disk type, it can cause replication issues or errors. To resolve this issue, you can upgrade the target storage disk to a higher tier that supports higher data change rates.

• Question 36:

  A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.

  The company reports that the Azure VM backup job is failing.

  You need to troubleshoot the issue.

  Solution: Install the VM guest agent by using administrative permissions. Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  Yes, installing the VM guest agent by using administrative permissions could resolve the issue of the Azure VM backup job failing after enabling backups for the VM through the Azure portal. When backing up a virtual machine in Azure, it is

  necessary to install the VM guest agent to enable proper communication between the VM and the backup service. An administrative user account is required to install the agent. Therefore, the solution mentioned in the question is correct and

  the answer is A. Yes.

  Reference:

  Back up a virtual machine in Azure (Microsoft documentation)

• Question 37:

  A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).

  An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error:

  Error getting auth token

  You need to resolve the issue.

  Solution: Use a global administrator account with a password that is less than 256 characters to configure Azure AD Connect.

  Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  No, restarting the Azure AD Connect service would not resolve the issue described in the scenario. The error message "Error getting auth token" indicates there is a problem with authentication

  , which is preventing password writeback from being enabled during the Azure AD Connect configuration.

  To resolve this issue, you should first confirm that the Azure AD Connect server can authenticate to the Azure AD tenant by using a valid set of credentials. If authentication is successful, then you can investigate other possible causes such

  as network connectivity issues, misconfigured firewall rules, expired certificates, etc.

  Therefore, the correct answer is option B, "No".

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-authentication

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-writeback#troubleshooting-steps

• Question 38:

  A company configures an Azure site-to-site VPN between an on-premises network and an Azure virtual network.

  The company reports that after completing the configuration, the VPN connection cannot be established.

  You need to troubleshoot the connection issue.

  What should you do first?

  A. Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey.

  B. Identify the shared key by running this PowerShell cmdlet: Get- AzVirtualNetworkGatewayConnectionVpnDeviceConfigScript.

  C. Verify the AzureRoot.cer file exists.

  D. Verify the AzureClient.pfx file exists.

  Correct Answer: A

  To troubleshoot the connection issue, you should do first identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey. According to 1, this cmdlet returns the shared key that is used for

  authentication between an Azure virtual network gateway and a local network gateway. You can use this cmdlet to verify that the shared key matches on both sides of the VPN connection.

  Therefore, you should choose A. Identify the shared key by running this PowerShell cmdlet:

  Get-AzVirtualNetworkGatewayConnectionSharedKey.

• Question 39:

  A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group

  (NSG) with all of the subnets.

  Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2.

  You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet.

  You discover that FlowLog1 is not reporting outbound flow traffic.

  You need to resolve the issue with FlowLog1.

  What should you do?

  A. Enable FlowLog1 in a network security group associated with the subnet of VM1.

  B. Configure the FlowTimeoutInMinutes property on VNet2 to a non-null value.

  C. Configure the FlowTimeoutInMinutes property on VNet1 to a non-null value.

  D. Configure FlowLog1 for version 2.

  Correct Answer: A

  According to 2, when FastPath is enabled on an ExpressRoute gateway, network traffic between your on-premises network and your virtual network bypasses the gateway and goes directly to virtual machines in the virtual network. Therefore, if you want to capture outbound flow traffic from VM1, you need to enable flow logging on an NSG associated with the subnet of VM1.

• Question 40:

  A company has an Azure tenant. The company deploys an Azure Firewall named FW1 using the Standard SKU. You configure FW1 using classic firewall rules.

  The company creates an application rule collection with the following settings:

  Priority: 100

  Action: Deny

  Rule type: FQDN

  Source type: IP address

  Source: *

  Protocol: http:80,https:443

  Target FQDN: *.cloud.contoso.com

  An engineer observes that traffic to console.cloud.conotoso.com is still allowed by FW1.

  You need to determine why the traffic is allowed.

  What should you review?

  A. Network rules

  B. Web categories

  C. Infrastructure rules

  D. Application rules

  Correct Answer: A

  To determine why the traffic is allowed, you should review network rules. According to 3, Azure Firewall uses network rules to allow or deny traffic based on source and destination IP address, port, and protocol. Network rules are applied before application rules and have higher priority than application rules. Therefore, if there is a network rule that allows traffic to console.cloud.contoso.com on port 80 or 443, it will override the application rule that denies traffic based on FQDN.