Microsoft Updated AZ-720 Exam Questions and Answers by eduard

BOX 1: Run the command: nslookup -type=a www.contoso.com 8.8.8.8

nslookup is a command-line tool that queries DNS servers for information about domain names and IP addresses. It can be used to troubleshoot DNS issues and verify DNS configurations1.

The -type option specifies the type of DNS record to query. The -type=a option queries for A records, which map domain names to IPv4 addresses1. The www.contoso.com argument specifies the domain name to query. The 8.8.8.8 argument specifies the DNS server to use for the query, which is a public DNS server provided by Google 2.

By running this command, you can verify if the Azure Public DNS zone is configured according to the requirements by checking if the A record for www.contoso.com matches the expected IPv4 address. If the A record is missing or incorrect, you can use the Azure portal, PowerShell, or Azure CLI to create or update it in your DNS zone 3.

Box2: Create NS records

NS (Name Server) records are used to delegate a domain or subdomain name to a set of authoritative DNS servers, which can provide information about that domain. In this scenario, there appears to be an issue with resolving the domain in question via public DNS lookup since it's only resolving locally on one server and not across all networks. By creating NS records for the domain, authoritative nameservers will be identified and designated as responsible for providing accurate information about the specific zone. This will ensure your domain is properly distributed on various different network zones and help users globally reach your website without any delays or connectivity problems. Alternatively, SRV (Service locator) record is used when you have multiple servers offering similar services such as email or SIP but want to use a weight system indication greater trustworthiness/proximity of datacenters within providers dns infrastructure. And SOA (Start Of Authority) - indicates who in control ofthe DNS zone and provides other related information such as the serial number and default TTL values. Therefore, option A. Create NS records would be the best solution for resolving public DNS lookup issues in this scenario. References: - "NS record," Microsoft Docs, accessed March 27, 2023. [Online]. Available: https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/create-a-dns-record-for-domain-access#ns-record - "SRV record," Cloudflare Help Center, accessed March 27, 2023. [Online]. Available: https://support.cloudflare.com/hc/en-us/articles/216672888-SRV-Record-Setup - "SOA record," DigitalOcean Product Documentation, accessed March 27, 2023. [Online]. Available: https://www.digitalocean.com/community/tutorials/how-to-manage-dns-using-the-digitalocean-control-panel#start-of-authority-record

Box 1: Assign the Contributor role to the team members.

In the given scenario, the team members are unable to create or manage resources in the Azure portal. To allow them to do so, you should assign the Contributor role to the team members. The Contributor role allows users to create and manage resources within the scope of their access, but they cannot grant access to others. The Reader role only provides read access to resources and does not allow creation or management of resources. The Reader and Data Access role is not a valid combined role in Azure. Reference: - Azure built-in roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

As mentioned in the scenario, the team members are unable to create resources in Azure Portal. This indicates that they do not have sufficient permissions to perform this operation. To grant them permissions, you need to assign them an Azure role that allows creating and managing Azure resources.

Azure roles are roles that can be assigned to users, groups, or applications to manage access to Azure resources1. Azure roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources2. With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements2:

• The security principal: The user, group, or application that you want to grant or deny access to the resource.
• The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.
• The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.

To assign an Azure role that allows creating and managing Azure resources, you can use the Contributor role. The Contributor role is a built-in role that has full access to all resources except granting access to others1. This means that users who are assigned the Contributor role can create and manage any type of Azure resource, such as virtual machines, storage accounts, web apps, etc.

To assign the Contributor role using the Azure portal, follow these steps3:

• In the Azure portal, navigate to the scope where you want to assign the role. For example, a subscription or a resource group.
• Select Access control (IAM), then select Add > Add role assignment.
• Under Role, select Contributor from the drop-down list.
• Under Assign access to, select User, group, or service principal.
• Under Select, find and select the users or groups that you want to assign the role to. You can type in the Select box to search the directory for display name or email address.
• Select Save to create the role assignment.

To assign the Contributor role using the Azure CLI or PowerShell, see Assign Azure roles using CLI or PowerShell.

Box 2: Assign the Storage Blob Data Contributor role to the team members. 

A detailed explanation with references is as follows:

As mentioned in the scenario, the team members are unable to perform backups and restores of blob data. This indicates that they do not have sufficient permissions to access blob storage resources. To grant them permissions, you need to assign them an Azure role that allows read/write/delete permissions to blob storage resources.

Azure roles are roles that can be assigned to users, groups, or applications to manage access to Azure resources2. Azure roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources3. With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements3:

• The security principal: The user, group, or application that you want to grant or deny access to the resource.
• The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.
• The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.

To assign an Azure role that allows read/write/delete permissions to blob storage resources, you can use the Storage Blob Data Contributor role. The Storage Blob Data Contributor role is a built-in role that has full access to blob storage resources except granting access to others1. This means that users who are assigned the Storage Blob Data Contributor role can perform backups and restores of blob data.

To assign the Storage Blob Data Contributor role using the Azure portal, follow these steps4:

• In the Azure portal, navigate to the scope where you want to assign the role. For example, a storage account or a container.
• Select Access control (IAM), then select Add > Add role assignment.
• Under Role, select Storage Blob Data Contributor from the drop-down list.
• Under Assign access to, select User, group, or service principal.
• Under Select, find and select the users or groups that you want to assign the role to. You can type in the Select box to search the directory for display name or email address.
• Select Save to create the role assignment.

To assign the Storage Blob Data Contributor role using the Azure CLI or PowerShell, see Assign Azure roles using CLI or PowerShell.

Box 1: Enable access to Azure Resource Manager for template deployment.

In the given scenario, you are trying to resolve Azure VM deployment issues. To configure an Azure Key Vault access policy setting for VM deployment, you need to enable access to Azure Resource Manager for template deployment. This will allow the VM deployment process to access the secrets and certificates stored in the Key Vault during the deployment of the VM using an ARM (Azure Resource Manager) template. Reference: - https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

BoX 2: Grant the Microsoft.KeyVault/vaults/deploy/action permission

 This is the permission that you should configure on an RBAC Key Vault role to resolve the Azure virtual machine (VM) deployment issues. This permission allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template1. Therefore, option C is correct.

A detailed explanation with references is as follows:

As mentioned in the scenario, the Azure virtual machine (VM) deployment issues are caused by the inability of Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template. To resolve this issue, you need to configure an RBAC Key Vault role that grants Azure Resource Manager the permission to access the key vault.

RBAC Key Vault roles are roles that can be assigned to users, groups, or applications to manage access to key vault secrets, keys, and certificates2. RBAC Key Vault roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources3. With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements3:

• The security principal: The user, group, or application that you want to grant or deny access to the resource.
• The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.
• The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.

To configure a role assignment that allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template, you need to grant the Microsoft.KeyVault/vaults/deploy/action permission1. This is a special permission that grants Azure Resource Manager a limited permission to get secrets from the key vault during resource deployment1. This permission does not grant any other permissions to Azure Resource Manager on the key vault or its contents1.

To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure portal, follow these steps1:

• In the Azure portal, navigate to the Key Vault resource.
• Select Access control (IAM), then select Add > Add role assignment.
• Under Role, select a built-in or custom role that includes the Microsoft.KeyVault/vaults/deploy/action permission. For example, you can select Key Vault Administrator or Key Vault Secrets User.
• Under Assign access to, select Azure AD user, group, or service principal.
• Under Select, enter Azure Resource Manager in the search field and select it.
• Select Save to create the role assignment.

To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure CLI or PowerShell, see Grant permissions for template deployment.

Box 1 =  Use IP flow verify.

IP flow verify is a feature of Azure Network Watcher that checks if a packet is allowed or denied to or from a virtual machine. It can help diagnose connectivity issues caused by network security groups, user-defined routes, or Azure Virtual Network Manager rules1. IP flow verify can also return the name of the rule that denied the packet, which can be useful for troubleshooting2.

Connection troubleshoot is another feature of Azure Network Watcher that helps reduce the time to diagnose and resolve network connectivity issues. However, it can only test TCP or ICMP connections from certain Azure resources, such as virtual machines, Azure Bastion instances, or application gateways3. Connection troubleshoot can also detect issues such as high VM CPU utilization, DNS resolution failures, or inability to open a socket at the specified source port3.

In this scenario, you need to collect the required logs for the SharePoint workload in VNet2. Since you are not testing a specific TCP or ICMP connection, but rather checking if packets are allowed or denied by any network configuration, IP flow verify is more suitable than connection troubleshoot. You can use IP flow verify to check the direction, protocol, local IP, remote IP, local port, and remote port of the packets and see which rule is blocking them12.

To use IP flow verify, you need to enable a network watcher in the same region as the virtual machines you want to troubleshoot. Then you can use the Azure portal, PowerShell, or Azure CLI to run IP flow verify and get the results24.

Box 2 =  Use Traffic analytics

To troubleshoot issues related to the SharePoint workload in VNet2, we can use Traffic Analytics. It is a networking monitoring solution that uses Network Watcher to analyze and report on traffic flows in your Azure virtual network. With Traffic Analytics, you could see information about the traffic flow patterns and security concerns detected across Azure subscriptions using network security group (NSG) flow logs. IP Flow Verify is used to verify if packets are flowing as expected between two endpoints within an Azure virtual network or between a public IP address and an endpoint inside an azure virtual network. But it doesn't provide visibility into overall traffic patterns or identify potential security threats. Connection Troubleshoot can be used when you have connectivity problems while interacting with a specific instance of a resource type being served out from Microsoft datacenters over Internet, but for troubleshooting SharePoint workloads related issue which might not necessarily correspond to internet routing/connectivity problems this may not apply.