Everything You Need to Pass: microsoft AZ_720

Case study -This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.To start the case study -To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.Background -Contoso, Ltd. is a financial services company based in Boston, MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.Current environment -General -Contoso's Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region:VPN users use Windows 10 computers with the built-in SSTP VPN client software.Recent changes -• You extend the IP address space of VNet1 and create subnets in the new IP address space.• You allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.• You enable a service endpoint on contosostorage1 to provide direct access to the storage content from all subnets in VNet1.• You configure all business critical VM workloads to use encryption keys stored in all five key vaults.• You enable a private endpoint on CosmosDB1 to provide direct access to its content from VNet1.• The Contoso's data engineering team was recently tasked with using contosostorage1 blob storage to store database backups.• You develop an automated process to deploy Azure VMs by using Azure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.• You deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.• You deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.You create the following resources:Issues -DNS issues -Reverse DNS lookup -• Reverse DNS lookups from VNet1 return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net.• Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format [vmname].internal.cloudapp.net.• VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.Public DNS lookup -You are notified that name resolution requests for www.contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.Connectivity and routing issues -Windows VPN -Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.Sales department VPN -The sales department users cannot connect by using the MacOS VPN client.Azure Storage connectivity -• Server Message Block (SMB)-mounts from VMs on VNet2 and VNet3 to file shares in contosostorage1 are failing.• Azure Storage Explorer connections using access keys from on-premises computers to contosostorage1 are failing.Cosmos DB connectivity -You observe that connections to CosmosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However, connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.VM1 routing -Internet traffic from VM1 is routed directly to the Internet.VM2 routing -After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You verify that routing for VM2 is configured correctly.Azure and SharePoint issues -Azure Key Vault -Access attempts to Azure Key Vault by VM workloads intermittently fail with the HTTP response code 429.SharePoint in VNet2 -SharePoint traffic between tiers is blocked by NSGs which is causing application failures.SharePoint in VNet3 -ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3.Permission issues -Data engineering team -The Contoso data engineering team is unable to view the contosostorage1 account in the Azure portal.Azure VM deployment -Azure VM deployments that use Azure Bicep are failing with an authorization error. The error indicates there are insufficient access permissions to retrieve the password of the local administrator account in the key vault.Requirements -DNS requirements -Reverse DNS lookup -You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmname].contoso.com for all three virtual networks.Public DNS lookup -You must verify that the Azure public DNS zone is currently used to resolve DNS name requests for www.contoso.com and recommend a solution that uses the Azure public DNS zone.Connectivity and routing requirementsWindows VPN -You must verify if VPN client connectivity issues are related to routing and recommend a solution.MacOS VPN -You must verify if Remote ID and Local ID VPN client settings on the MacOS devices are properly configured.Azure Storage connectivity -You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on-premises connections to contosostorage1 are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.Cosmos DB connectivity -You must verify if on-premises connections to CosmosDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.VM1 routing -RT12 must be configured to route internet traffic from VM1 through VM2.VM2 routing -VM2 must be configured to route internet traffic from VM1.Azure and SharePoint requirementsAzure Key Vault -You must identify the reason for the failures and recommend a solution.SharePoint in VNet2 -You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.SharePoint in VNet3 -You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.Permission requirements -Azure Bicep -You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.Data engineering team -You must identify the role-based access control (RBAC) roles required by the data engineering team to access the storage account by using Azure portal. They also require permission to backup and restore blobs in contosostorage1.You need to troubleshoot the CosmosDB1 issues from the on-premises environment.What should you use?

Case study -This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.To start the case study -To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.Background -Fabrikam Inc. runs an online reservation service that allows agents to manage online registrations for various hotels, vacation rentals, and customers.Current environment -Environments -The company has on-premises infrastructure and services that are hosted in Azure. The on-premises infrastructure includes servers that run Active Directory Domain Services (AD DS). Azure services include virtual machines (VMs) that are in one subscription and the following environments: development, testing, and production. Each environment is located in a different virtual network (VNet).The company has a perimeter network that supports connections to the internet. The perimeter network is also hosted in a separate VNet. All of the VNets are connected by using virtual network peering.Virtual machines -The company's subscription contains the following Azure virtual machines (VMs):The Web Server (IIS) role is installed on VM4. The operating system firewall for each VM allows inbound ping requests.Network security groups -The company's subscription includes the following network security groups (NSGs):Security rules -NSG1, NSG2, NSGS, and NSG5 use the default inbound security rules. NSG4, NSG5, and NSG10 use the default outbound security rules.NSG4 has the following inbound security rule:NSG10 has the following inbound security rules:Virtual network peering -The virtual network peering connections are in the following table:Virtual network gateway -A virtual network gateway named VNetGW is provisioned in the perimeter network. The virtual network gateway will provide:• Network routing to customer data centers using site-to-site VPN connections.• Network routing to Azure for the scheduling agents and sales employees using a point-to-site VPN connection.Information about the virtual network gateway is shown in the following table:Site-to-site VPN connections -The company's site-to-site VPN connections with customers are shown in the following table:Point-to-site VPN configuration -The point-to-site VPN is configured as shown in the following table:Users and groups -The company's user and group memberships are shown in the following table:The scheduling agents, warehouse, and sales groups are members of the self-service password reset (SSPR) group named SSPR-group.Azure AD Connect -Azure AD Connect is installed on an on-premises server named SRV1. In addition:• The server uses a pass-through authentication agent.• The SSPR feature is enabled.• The SSPR feature is applied only to a group named SSPR-group.Network policy server -Network Policy Server (NPS) is installed on an on-premises server named SRV2. The NPS extension for Azure AD multi-factor authentication (MFA) is configured on the server as well.Requirements -Business requirements -• The scheduling agents' internet connectivity should be blocked when connected to the point-to-site VPN.• Sales employees must use the default VPN client on MacOS computers to connect to Azure.• Azure AD Connect must synchronize all user accounts from AD DS to Azure AD.Technical requirements -• Pass-through authentication is required for all users.• Azure AD multi-factor authentication (MFA) is required for all users.• All admin user accounts must be in an organizational unit (OU) named Admins.Issues -Resource issues -• You discover during testing that scheduling agents are experiencing latency when accessing resources at the Alpine Ski House. You suspect that the issue is related to TCP latency.• You receive reports that VM1 is unable to access resources at Contoso Suites.• Users report issues connecting from VM3 to resources at Margie's Travel. The administrator for Margie's Travel has verified that their VPN gateway is working correctly. You need to verify whether the Fabrikam virtual network gateway is available.• The administrator of a partner company named Blue Yonder Airlines reports VPN disconnections and IPSec failure to connect errors.• You receive the following error on SRV1 only when trying to synchronize an administrator named Admin1: 8344 Insufficient access rights to perform the operation• MFA requests on SRV2 are failing with a security token error.• You are unable to ping VM10 from VM1.User issues -• A scheduling agent named User1 reports that they can access the internet when connected to the point-to-site VPN.• A user named User2 reports the following error when registering for SSPR: Your administrator has not enabled you to use this feature.• Sales team employees report that they are unable to connect by using point-to-site VPN.• A scheduling agent named Agent1 reports issues authenticating to Azure AD.• An administrator named Admin2 reports they cannot connect to the web server public IP address on VM4 from VM2.You need to resolve the issue with VM10.What should you do?

HOTSPOT -Case study -This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.To start the case study -To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.Background -Contoso, Ltd. is a financial services company based in Boston, MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.Current environment -General -Contoso's Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region:VPN users use Windows 10 computers with the built-in SSTP VPN client software.Recent changes -• You extend the IP address space of VNet1 and create subnets in the new IP address space.• You allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.• You enable a service endpoint on contosostorage1 to provide direct access to the storage content from all subnets in VNet1.• You configure all business critical VM workloads to use encryption keys stored in all five key vaults.• You enable a private endpoint on CosmosDB1 to provide direct access to its content from VNet1.• The Contoso's data engineering team was recently tasked with using contosostorage1 blob storage to store database backups.• You develop an automated process to deploy Azure VMs by using Azure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.• You deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.• You deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.You create the following resources:Issues -DNS issues -Reverse DNS lookup -• Reverse DNS lookups from VNet1 return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net.• Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format [vmname].internal.cloudapp.net.• VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.Public DNS lookup -You are notified that name resolution requests for www.contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.Connectivity and routing issues -Windows VPN -Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.Sales department VPN -The sales department users cannot connect by using the MacOS VPN client.Azure Storage connectivity -• Server Message Block (SMB)-mounts from VMs on VNet2 and VNet3 to file shares in contosostorage1 are failing.• Azure Storage Explorer connections using access keys from on-premises computers to contosostorage1 are failing.Cosmos DB connectivity -You observe that connections to CosmosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However, connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.VM1 routing -Internet traffic from VM1 is routed directly to the Internet.VM2 routing -After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You verify that routing for VM2 is configured correctly.Azure and SharePoint issues -Azure Key Vault -Access attempts to Azure Key Vault by VM workloads intermittently fail with the HTTP response code 429.SharePoint in VNet2 -SharePoint traffic between tiers is blocked by NSGs which is causing application failures.SharePoint in VNet3 -ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3.Permission issues -Data engineering team -The Contoso data engineering team is unable to view the contosostorage1 account in the Azure portal.Azure VM deployment -Azure VM deployments that use Azure Bicep are failing with an authorization error. The error indicates there are insufficient access permissions to retrieve the password of the local administrator account in the key vault.Requirements -DNS requirements -Reverse DNS lookup -You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmname].contoso.com for all three virtual networks.Public DNS lookup -You must verify that the Azure public DNS zone is currently used to resolve DNS name requests for www.contoso.com and recommend a solution that uses the Azure public DNS zone.Connectivity and routing requirementsWindows VPN -You must verify if VPN client connectivity issues are related to routing and recommend a solution.MacOS VPN -You must verify if Remote ID and Local ID VPN client settings on the MacOS devices are properly configured.Azure Storage connectivity -You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on-premises connections to contosostorage1 are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.Cosmos DB connectivity -You must verify if on-premises connections to CosmosDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.VM1 routing -RT12 must be configured to route internet traffic from VM1 through VM2.VM2 routing -VM2 must be configured to route internet traffic from VM1.Azure and SharePoint requirementsAzure Key Vault -You must identify the reason for the failures and recommend a solution.SharePoint in VNet2 -You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.SharePoint in VNet3 -You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.Permission requirements -Azure Bicep -You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.Data engineering team -You must identify the role-based access control (RBAC) roles required by the data engineering team to access the storage account by using Azure portal. They also require permission to backup and restore blobs in contosostorage1.You need to troubleshoot the issues with the SharePoint workload in VNet2.What should you do? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.

HOTSPOT -A company has an Azure environment that uses one virtual network.The company restructures the environment to use two different virtual networks. Virtual machines in one network cannot communicate with virtual machines in the other virtual network.You need to resolve the name resolution issue.What should you use? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.

Case study -This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.To start the case study -To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.Background -Fabrikam Inc. runs an online reservation service that allows agents to manage online registrations for various hotels, vacation rentals, and customers.Current environment -Environments -The company has on-premises infrastructure and services that are hosted in Azure. The on-premises infrastructure includes servers that run Active Directory Domain Services (AD DS). Azure services include virtual machines (VMs) that are in one subscription and the following environments: development, testing, and production. Each environment is located in a different virtual network (VNet).The company has a perimeter network that supports connections to the internet. The perimeter network is also hosted in a separate VNet. All of the VNets are connected by using virtual network peering.Virtual machines -The company's subscription contains the following Azure virtual machines (VMs):The Web Server (IIS) role is installed on VM4. The operating system firewall for each VM allows inbound ping requests.Network security groups -The company's subscription includes the following network security groups (NSGs):Security rules -NSG1, NSG2, NSGS, and NSG5 use the default inbound security rules. NSG4, NSG5, and NSG10 use the default outbound security rules.NSG4 has the following inbound security rule:NSG10 has the following inbound security rules:Virtual network peering -The virtual network peering connections are in the following table:Virtual network gateway -A virtual network gateway named VNetGW is provisioned in the perimeter network. The virtual network gateway will provide:• Network routing to customer data centers using site-to-site VPN connections.• Network routing to Azure for the scheduling agents and sales employees using a point-to-site VPN connection.Information about the virtual network gateway is shown in the following table:Site-to-site VPN connections -The company's site-to-site VPN connections with customers are shown in the following table:Point-to-site VPN configuration -The point-to-site VPN is configured as shown in the following table:Users and groups -The company's user and group memberships are shown in the following table:The scheduling agents, warehouse, and sales groups are members of the self-service password reset (SSPR) group named SSPR-group.Azure AD Connect -Azure AD Connect is installed on an on-premises server named SRV1. In addition:• The server uses a pass-through authentication agent.• The SSPR feature is enabled.• The SSPR feature is applied only to a group named SSPR-group.Network policy server -Network Policy Server (NPS) is installed on an on-premises server named SRV2. The NPS extension for Azure AD multi-factor authentication (MFA) is configured on the server as well.Requirements -Business requirements -• The scheduling agents' internet connectivity should be blocked when connected to the point-to-site VPN.• Sales employees must use the default VPN client on MacOS computers to connect to Azure.• Azure AD Connect must synchronize all user accounts from AD DS to Azure AD.Technical requirements -• Pass-through authentication is required for all users.• Azure AD multi-factor authentication (MFA) is required for all users.• All admin user accounts must be in an organizational unit (OU) named Admins.Issues -Resource issues -• You discover during testing that scheduling agents are experiencing latency when accessing resources at the Alpine Ski House. You suspect that the issue is related to TCP latency.• You receive reports that VM1 is unable to access resources at Contoso Suites.• Users report issues connecting from VM3 to resources at Margie's Travel. The administrator for Margie's Travel has verified that their VPN gateway is working correctly. You need to verify whether the Fabrikam virtual network gateway is available.• The administrator of a partner company named Blue Yonder Airlines reports VPN disconnections and IPSec failure to connect errors.• You receive the following error on SRV1 only when trying to synchronize an administrator named Admin1: 8344 Insufficient access rights to perform the operation• MFA requests on SRV2 are failing with a security token error.• You are unable to ping VM10 from VM1.User issues -• A scheduling agent named User1 reports that they can access the internet when connected to the point-to-site VPN.• A user named User2 reports the following error when registering for SSPR: Your administrator has not enabled you to use this feature.• Sales team employees report that they are unable to connect by using point-to-site VPN.• A scheduling agent named Agent1 reports issues authenticating to Azure AD.• An administrator named Admin2 reports they cannot connect to the web server public IP address on VM4 from VM2.You need to resolve the issue with Admin1.What should you do?

A company uses Azure Site Recovery (ASR) for a VMWare environment that includes the following virtual machines (VMs):The company reports that they are unable to configure all of the servers for replication.You need to evaluate the servers and server roles to determine which servers can be protected.Which server can you protect by using ASR?