Microsoft Microsoft Certifications AZ-720 Questions & Answers

• Question 51:

  A company connects their on-premises network by using Azure VPN Gateway. The on- premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).

  A new subnet should be unreachable from the on-premises network.

  You need to implement a solution.

  Solution: Configure a route table with route propagation disabled.

  Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  The proposed solution of configuring a route table with route propagation disabled will not meet the goal of making the new subnet unreachable from the on- premises network.

  Route tables in Azure are used to control traffic flow within a virtual network and between virtual networks. By default, each subnet in an Azure virtual network is associated with a system-generated route table, which contains a default route

  that enables traffic to flow to and from all the subnets within the virtual network. Disabling route propagation in a custom route table would prevent any new routes from being propagated to the associated subnets. However, it would not

  prevent traffic from the on-premises network from reaching the new subnet since traffic between the virtual network and the on-premises network would still use the default route in the system- generated route table.

  To meet the goal of making the new subnet unreachable from the on-premises network, you would need to create a new route table with a route that sends traffic destined for the new subnet to a null interface. This would cause the traffic to

  be dropped and the subnet to be effectively unreachable from the on-premises network.

  Reference:

  Microsoft documentation on how to create a custom route table and associate it with a subnet:

  https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-custom-route-table.

  Microsoft documentation on how to configure a route to a null interface:

  https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal#to-route-to-a-null-interface.

• Question 52:

  A company uses an Azure Virtual Network (VNet) gateway named VNetGW1. VNetGW1 connects to a partner site by using a site-to-site VPN connection with dynamic routing.

  The company observes that the VPN disconnects from time to time.

  You need to troubleshoot the cause for the disconnections.

  What should you verify?

  A. The partner's VPN device and VNetGW1 are configured using the same shared key.

  B. The IP address of the local network gateway matches the partner's VPN device.

  C. The partner's VPN device is enabled for Perfect forward secrecy.

  D. The partner's VPN device and VNetGW1 are configured with the same virtual network address space.

  Correct Answer: C

  https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-disconnected-intermittently (step 7)

• Question 53:

  A company uses an Azure VPN gateway to connect to their on-premises environment.

  The company's on-premises VPN gateway is used by several services. One service is experiencing connectivity issues.

  You need to minimize downtime for all services and resolve the connectivity issue.

  Which three actions should you perform?

  A. Configure the hashing algorithm to be different on both gateways.

  B. Rest the VPN gateway.

  C. Configure the pre-shared key to be the same on the Azure VPN gateway and the on- premises VPN gateways.

  D. Rest the VPN connection.

  E. Configure the hashing algorithm to be the same on both gateways.

  F. Configure the pre-shared key to be different on the Azure VPN gateway and the on- premises VPN gateways.

  Correct Answer: CDE

• Question 54:

  A company deploys Azure Bastion to connect to their virtual machine (VM) infrastructure. An engineer attempts to connect to a Windows VM by using Remote Desktop Protocol (RDP). The connection fails.

  You need to troubleshoot the issue.

  Which two actions should you perform?

  A. Monitor traffic with the following PowerShell cmdlet Test- AzNetworkWatcherConnectivity.

  B. Configure Azure Bastion with static assignment.

  C. Apply a network security group on the same subnet as Azure Bastion.

  D. Run the Network Watcher Connection troubleshoot service.

  E. Monitor traffic with the following PowerShell cmdlet New-AzNetworkWatcherFlowLog.

  Correct Answer: AD

  The two actions that should be performed to troubleshoot the issue of a failed RDP connection to a Windows VM through Azure Bastion are A) Monitor traffic with the PowerShell cmdlet 'Test-AzNetworkWatcherConnectivity' and D) Run the

  Network Watcher Connection troubleshoot service.

  A) Monitor traffic with the PowerShell cmdlet 'Test-AzNetworkWatcherConnectivity': This cmdlet can be used to verify connectivity between two endpoints in Azure. By monitoring traffic, you can identify the root cause of issues with the VM's

  connectivity through Azure Bastion.

  D) Run the Network Watcher Connection troubleshoot service: This service can help identify the root cause of connectivity issues with Azure resources. It analyses network traffic to identify common misconfiguration issues and provides

  guidance on how to resolve them.

  Reference:

  https://docs.microsoft.com/en-us/azure/bastion/bastion-troubleshoot

  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-powershell

• Question 55:

  A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).

  An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error:

  Error getting auth token

  You need to resolve the issue.

  Solution: Use a global administrator account that is not federated to configure Azure AD Connect.

  Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  The proposed solution to use a global administrator account that is not federated to configure Azure AD Connect does not directly address the error message "Error getting auth token" described in the scenario , so it is unlikely to solve the

  issue.

  To resolve this issue, you should verify that the Azure AD Connect server can authenticate to the Azure AD tenant using valid credentials. If authentication is successful, then you can investigate other possible causes such as network

  connectivity problems, misconfigured firewall rules, expired certificates, etc.

  Therefore, the correct answer remains option B, "No".

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-authentication

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-writeback

• Question 56:

  A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).

  An administrator receives an error that password writeback could not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error:

  Error getting auth token

  You need to resolve the issue.

  What should you do?

  A. Restart the Azure AD Connect service.

  B. Configure Azure AD Connect using a global administrator account that is not federated.

  C. Configure Azure AD Connect using a global administrator account with a password that is less than 256 characters.

  D. Disable password writeback and then enable password writeback using the Azure AD Connect configuration.

  Correct Answer: B

• Question 57:

  A company has an Azure Virtual Network gateway named VNetGW1. The company enables point-to-site connectivity on VNetGW1. An administrator configures VNetGW1 for the following:

  1.

  OpenVPN for the tunnel type.

  2.

  Azure certificate for the authentication type.

  Users receive a certificate mismatch error when connecting by using a VPN client.

  You need to resolve the certificate mismatch error.

  What should you do?

  A. Configure the tunnel type for IKEv2 and OpenVPN on VNetGW1.

  B. Create a profile manually, add the server FQDN and reissue the client certificate.

  C. Install a Secure Socket Tunneling Protocol (SSTP) VPN client on the user's computers.

  D. Configure preshared key for authentication on the VPN profile.

  Correct Answer: B

  To resolve the certificate mismatch error, you should create a profile manually, add the server FQDN and reissue the client certificate. According to 1, when you use OpenVPN for tunnel type on point-to-site VPN connections, you need to ensure that your client certificates have the correct server FQDN as one of their subject alternative names (SANs). Otherwise, you will receive a certificate mismatch error when connecting by using a VPN client.

• Question 58:

  A company enables just-in-time (JIT) virtual machine (VM) access in Azure.

  An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.

  You need to determine why some VMs are not supported for JIT VM access.

  What should you conclude?

  A. The administrator is using the Microsoft Defender for Cloud free tier.

  B. The VMs were provisioned by using a classic deployment.

  C. The administrator does not have the SecurityReader role.

  D. The administrator does not have permissions to request JIT access to the VMs.

  Correct Answer: B

  JIT VM access is only supported for VMs that are deployed using the Azure Resource Manager (ARM) deployment model. VMs that are provisioned using the classic deployment model are not compatible with JIT VM access and will be displayed under the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.

• Question 59:

  A company connects their on-premises network by using Azure VPN Gateway. The on- premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).

  A new subnet should be unreachable from the on-premises network.

  You need to implement a solution.

  Solution: Configure subnet delegation.

  Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  The proposed solution, which is to configure subnet delegation, does not meet the goal of making the new subnet unreachable from the on-premises network. Subnet delegation is a mechanism to delegate management of a subnet to another

  resource such as a Network Virtual Appliance or a Service Endpoint. It does not provide any means to restrict or isolate a subnet from the rest of the network.

  To meet the goal, you can use Network Security Groups (NSGs) to restrict traffic to and from the new subnet. NSGs allow you to define inbound and outbound security rules that specify the type of traffic that is allowed or denied based on

  different criteria such as source or destination IP address, protocol, port number, etc. By creating a custom NSG and defining rules that deny traffic to and from the new subnet, you can effectively make that subnet unreachable from the on-

  premises network.

  Therefore, the correct answer is option B, "No".

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

  https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

• Question 60:

  A company deploys an ExpressRoute circuit.

  You need to verify accepted peering routes from the ExpressRoute circuit.

  Which PowerShell cmdlet should you run?

  A. Get-AzExpressRouteCrossConnectionPeering

  B. Get-AzExpressRouteCircuit

  C. Get-AzExpressRouteCircuitPeeringConfig

  D. Get-AzExpressRouteCircuitRouteTable

  E. Get-AzExpressRouteCircuitStats

  Correct Answer: D

  To verify accepted peering routes from the ExpressRoute circuit, you should run the PowerShell cmdlet Get-AzExpressRouteCircuitRouteTable. According to 1, this cmdlet returns a list of routes advertised by an ExpressRoute circuit peering. You can specify which peering type (AzurePrivatePeering, AzurePublicPeering, or MicrosoftPeering) and which route table (AdvertisedPublicPrefixes or AdvertisedPublicPrefixesState) you want to view.