Share via


Study guide for Exam AZ-720: Troubleshooting Microsoft Azure Connectivity

Warning

This exam will retire on July 31, 2023, at 11:59 PM Central Standard Time.

Purpose of this document

This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.

Useful links Description
Review the skills measured as of April 18, 2023 This list represents the skills measured AFTER the date provided. Study this list if you plan to take the exam AFTER that date.
Review the skills measured prior to April 18, 2023 Study this list of skills if you take your exam PRIOR to the date provided.
Change log You can go directly to the change log if you want to see the changes that will be made on the date provided.
How to earn the certification Some certifications only require passing one exam, while others require passing multiple exams.
Certification renewal Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn.
Your Microsoft Learn profile Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates.
Exam scoring and score reports A score of 700 or greater is required to pass.
Exam sandbox You can explore the exam environment by visiting our exam sandbox.
Request accommodations If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation.
Take a practice test Are you ready to take the exam or do you need to study a bit more?

Updates to the exam

Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.

We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. While Microsoft makes every effort to update localized versions as noted, there may be times when the localized versions of an exam are not updated on this schedule. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.

Note

The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.

Note

Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.

Skills measured as of April 18, 2023

Audience profile

Candidates for the Microsoft Azure Support Engineer for Connectivity Specialty certification are support engineers with subject matter expertise in using advanced troubleshooting methods to resolve networking and connectivity issues in Azure.

Professionals in this role troubleshoot hybrid environments, including issues with Azure virtual machines, virtual networks, and connectivity between on-premises and Azure services. They use various tools and technologies to diagnose and identify root causes for complex issues.

Candidates for this exam should have experience with networking and with hybrid environments, including knowledge of routing, permissions, and subscription limits. They must be able to use available tools to diagnose issues related to business continuity, hybrid environments, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), access control, networking, and virtual machines connectivity.

  • Troubleshoot business continuity issues (5–10%)

  • Troubleshoot hybrid and cloud connectivity issues (20–25%)

  • Troubleshoot Platform as a Service (PaaS) issues (5–10%)

  • Troubleshoot authentication and access control issues (15–20%)

  • Troubleshoot networks (25–30%)

  • Troubleshoot VM connectivity issues (5–10%)

Troubleshoot business continuity issues (5–10%)

Troubleshoot backup issues

  • Review and interpret backup logs

  • Troubleshoot Azure virtual machines backup issues including restarting a failed backup job

  • Troubleshoot issues with Azure Backup agent

  • Troubleshoot Azure Backup Server issues

  • Troubleshoot scheduled backups

Troubleshoot recovery issues

  • Troubleshoot Azure Site Recovery issues

  • Troubleshoot site recovery in hybrid scenarios that include Hyper-V, or VMware ESX

  • Troubleshoot restore issues when using Azure Backup agent, Azure Backup, or Azure Backup Server

  • Troubleshoot issues recovering files from Azure VM backup

Troubleshoot hybrid and cloud connectivity issues (20–25%)

Troubleshoot virtual network (VNet) connectivity

  • Troubleshoot virtual private network (VPN) gateway transit issues

  • Troubleshoot hub-and-spoke VNet configuration issues

  • Troubleshoot global VNet peering connectivity issues

  • Troubleshoot VNet peering connections

Troubleshoot name resolution issues

  • Troubleshoot name resolution in scenarios that use Azure-provided name resolution

  • Troubleshoot name resolution in scenarios that use custom DNS servers

  • Review and interpret DNS audit logs

  • Troubleshoot name resolution for Azure private DNS zones

  • Troubleshoot issues with DNS records at public DNS providers

  • Troubleshoot domain delegation issues

Troubleshoot point-to-site virtual private network (VPN) connectivity

  • Troubleshoot Windows VPN client configuration issues

  • Troubleshoot OpenVPN VPN client configuration issues

  • Troubleshoot macOS VPN client configuration issues

  • Troubleshoot issues with certificate-based VPN connections

  • Troubleshoot issues with RADIUS-based VPN connections

  • Troubleshoot authentication issues in scenarios by using Microsoft Entra ID

Troubleshoot site-to-site virtual private network (VPN) connectivity

  • Review and interpret network logs and captured network traffic from a VPN gateway

  • Determine the root cause for latency issues within site-to-site VPNs

  • Review and interpret VPN gateway configuration scripts

  • Reset a VPN gateway

  • Troubleshoot VPN gateway issues by running Log Analytics queries

Troubleshoot Azure ExpressRoute connectivity issues

  • Determine whether routes are correctly configured and operational

  • Validate the peering configuration for an ExpressRoute circuit

  • Reset an ExpressRoute circuit

  • Troubleshoot route filtering

  • Determine the root cause of latency issues related to ExpressRoute

Troubleshoot Platform as a Service (PaaS) issues (5–10%)

Troubleshoot PaaS services

  • Troubleshoot PaaS connectivity issues

  • Troubleshoot firewalls for PaaS services

  • Troubleshoot PaaS configuration issues

  • Determine the root cause for service-level throttling

Troubleshoot PaaS integration issues

  • Troubleshoot issues integrating PaaS services with virtual networks

  • Troubleshoot subnet delegation issues

  • Troubleshoot issues with private endpoints and service endpoints

  • Troubleshoot issues with Azure Private Link

Troubleshoot authentication and access control issues (15–20%)

Troubleshoot Microsoft Entra authentication

  • Determine why on-premises systems cannot access Azure resources

  • Troubleshoot Microsoft Entra configuration issues

  • Troubleshoot self-service password reset issues

  • Troubleshoot issues with multifactor authentication

Troubleshoot hybrid authentication

  • Troubleshoot issues with Microsoft Entra Connect and Microsoft Entra Connect cloud sync

  • Troubleshoot issues with integration between Microsoft Entra ID and Microsoft Entra Domain Services

  • Troubleshoot issues with integration between Microsoft Entra ID and Active Directory Federation Services (AD FS)

  • Troubleshoot issues with pass-through authentication and password hash synchronization

  • Troubleshoot issues with Microsoft Entra application proxy

Troubleshoot authorization issues

  • Troubleshoot role-based access control (RBAC) issues

  • Troubleshoot issues storing passwords, keys, and certificates in Azure Key Vault

  • Troubleshoot authorization issues related to Microsoft Entra Conditional Access policies

Troubleshoot networks (25–30%)

Troubleshoot Azure network security issues

  • Determine why Azure Web Application Firewall is blocking traffic

  • Troubleshoot encryption and certificate issues for point-to-site and site-to-site scenarios

  • Troubleshoot connectivity to secure endpoints

Troubleshoot Azure network security groups (NSGs)

  • Troubleshoot NSG configuration issues

  • Review and interpret NSG flow logs

  • Determine whether one or more Azure network interfaces (NICs) are associated with an application security group (ASG)

Troubleshoot Azure Firewall issues

  • Troubleshoot application, network, and infrastructure rules

  • Troubleshoot network address translation (NAT) and destination network address translation (DNAT) rules

  • Troubleshoot Azure Firewall Manager configuration issues

Troubleshoot latency issues

  • Determine the root cause for Azure VM-level throttling

  • Determine the root cause for latency issues when connecting to Azure VMs

  • Determine the root cause for throttling between source and destination resources

  • Troubleshoot bandwidth availability issues

  • Determine whether resource response times meet service-level agreements (SLAs)

Troubleshoot routing and traffic control

  • Review and interpret route tables

  • Troubleshoot issues caused by asymmetric routing

  • Troubleshoot issues with user-defined routes

  • Troubleshoot issues related to forced tunneling

  • Troubleshoot Border Gateway Protocol (BGP) issues

  • Troubleshoot service chaining

  • Troubleshoot custom defined routes

  • Troubleshoot routing configuration issues in Azure

Troubleshoot load-balancing issues

  • Determine whether VMs in a load-balanced backend pool are healthy

  • Troubleshoot issues with Azure Load Balancer

  • Review and interpret load balancer rules

  • Troubleshoot traffic distribution issues

  • Evaluate the configuration of Azure Traffic Manager

  • Troubleshoot issues with Azure Traffic Manager profiles

  • Troubleshoot port exhaustion issues

  • Troubleshoot issues with Azure Front Door

  • Troubleshoot issues with Azure Application Gateway

Troubleshoot VM connectivity issues (5–10%)

Troubleshoot Azure Bastion

  • Troubleshoot issues deploying Azure Bastion

  • Troubleshoot connectivity issues

  • Troubleshoot authorization issues

Troubleshoot just-in-time (JIT) VM access

  • Validate connectivity with an Azure VM

  • Troubleshoot JIT VM configuration issues

  • Troubleshoot JIT VM authorization issues

Study resources

We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.

Study resources Links to learning and documentation
Get trained Choose from self-paced learning paths and modules or take an instructor-led course
Find documentation Azure documentation
Microsoft Entra ID
Azure Policy
Storage
Storage Explorer
Blob Storage
Ask a question Microsoft Q&A | Microsoft Docs
Get community support Azure Community Support
Follow Microsoft Learn Microsoft Learn - Microsoft Tech Community
Find a video Exam Readiness Zone
Azure Fridays
Browse other Microsoft Learn shows

Change log

Key to understanding the table: The topic groups (also known as functional groups) are in bold typeface followed by the objectives within each group. The table is a comparison between the two versions of the exam skills measured and the third column describes the extent of the changes.

Skill area prior to April 18, 2023 Skill area as of April 18, 2023 Change
Audience profile Minor
Troubleshoot business continuity issues Troubleshoot business continuity issues No % change
Troubleshoot backup issues Troubleshoot backup issues No change
Troubleshoot recovery issues Troubleshoot recovery issues Minor
Troubleshoot hybrid and cloud connectivity issues Troubleshoot hybrid and cloud connectivity issues No % change
Troubleshoot virtual network (VNet) connectivity Troubleshoot virtual network (VNet) connectivity Minor
Troubleshoot name resolution issues Troubleshoot name resolution issues No change
Troubleshoot point-to-site virtual private network (VPN) connectivity Troubleshoot point-to-site virtual private network (VPN) connectivity No change
Troubleshoot site-to-site virtual private network (VPN) connectivity Troubleshoot site-to-site virtual private network (VPN) connectivity No change
Troubleshoot Azure ExpressRoute connectivity issues Troubleshoot Azure ExpressRoute connectivity issues Minor
Troubleshoot Platform as a Service issues Troubleshoot Platform as a Service (PaaS) issues No % change
Troubleshoot PaaS services Troubleshoot PaaS services No change
Troubleshoot PaaS integration issues Troubleshoot PaaS integration issues No change
Troubleshoot authentication and access control issues Troubleshoot authentication and access control issues No % change
Troubleshoot Microsoft Entra authentication Troubleshoot Microsoft Entra authentication No change
Troubleshoot hybrid authentication Troubleshoot hybrid authentication No change
Troubleshoot authorization issues Troubleshoot authorization issues Minor
Troubleshoot networks Troubleshoot networks No % change
Troubleshoot Azure network security issues Troubleshoot Azure network security issues No change
Troubleshoot Azure network security groups (NSGs) Troubleshoot Azure network security groups (NSGs) No change
Troubleshoot Azure Firewall issues Troubleshoot Azure Firewall issues No change
Troubleshoot latency issues Troubleshoot latency issues No change
Troubleshoot routing and traffic control Troubleshoot routing and traffic control Minor
Troubleshoot load-balancing issues Troubleshoot load-balancing issues No change
Troubleshoot VM connectivity issues Troubleshoot VM connectivity issues No % change
Troubleshoot Azure Bastion Troubleshoot Azure Bastion No change
Troubleshoot just-in-time (JIT) VM access Troubleshoot just-in-time (JIT) VM access No change

Skills measured prior to April 18, 2023

Audience profile

Candidates for the Azure Support Engineer for Connectivity Specialty certification are support engineers with subject matter expertise in using advanced troubleshooting methods to resolve networking and connectivity issues in Azure.

Professionals in this role troubleshoot hybrid environments, including issues with Azure virtual machines, virtual networks, and connectivity between on-premises and Azure services. They use various tools and technologies to diagnose and identify root causes for complex issues.

Candidates for this exam should have experience with networking and with hybrid environments, including knowledge of routing, permissions, and subscription limits. They must be able to use available tools to diagnose issues related to business continuity, hybrid environments, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), access control, networking, and virtual machines connectivity.

  • Troubleshoot business continuity issues (5–10%)

  • Troubleshoot hybrid and cloud connectivity issues (20–25%)

  • Troubleshoot Platform as a Service issues (5–10%)

  • Troubleshoot authentication and access control issues (15–20%)

  • Troubleshoot networks (25–30%)

  • Troubleshoot VM connectivity issues (5–10%)

Troubleshoot business continuity issues (5–10%)

Troubleshoot backup issues

  • Review and interpret backup logs

  • Troubleshoot Azure virtual machines backup issues including restarting a failed backup job

  • Troubleshoot issues with Azure Backup agent

  • Troubleshoot Azure Backup Server issues

  • Troubleshoot scheduled backups

Troubleshoot recovery issues

  • Troubleshoot Azure Site Recovery issues

  • Troubleshoot site recovery in hybrid scenarios that include Hyper-V, VMware ESX, or Microsoft Endpoint Manager

  • Troubleshoot restore issues when using Azure Backup agent, Azure Backup, or Azure Backup Server

  • Troubleshoot issues recovering files from Azure VM backup

Troubleshoot hybrid and cloud connectivity issues (20–25%)

Troubleshoot virtual network (VNet) connectivity

  • Troubleshoot virtual private network (VPN) gateway transit issues

  • Troubleshoot hub-and-spoke VNet configuration issues

  • Troubleshoot global VNet peering connectivity issues

  • Troubleshoot peered connections

Troubleshoot name resolution issues

  • Troubleshoot name resolution in scenarios that use Azure-provided name resolution

  • Troubleshoot name resolution in scenarios that use custom DNS servers

  • Review and interpret DNS audit logs

  • Troubleshoot name resolution for Azure private DNS zones

  • Troubleshoot issues with DNS records at public DNS providers

  • Troubleshoot domain delegation issues

Troubleshoot point-to-site virtual private network (VPN) connectivity

  • Troubleshoot Windows VPN client configuration issues

  • Troubleshoot OpenVPN VPN client configuration issues

  • Troubleshoot macOS VPN client configuration issues

  • Troubleshoot issues with certificate-based VPN connections

  • Troubleshoot issues with RADIUS-based VPN connections

  • Troubleshoot authentication issues in scenarios by using Microsoft Entra ID

Troubleshoot site-to-site virtual private network (VPN) connectivity

  • Review and interpret network logs and captured network traffic from a VPN gateway

  • Determine the root cause for latency issues within site-to-site VPNs

  • Review and interpret VPN gateway configuration scripts

  • Reset a VPN gateway

  • Troubleshoot VPN gateway issues by running Log Analytics queries

Troubleshoot Azure ExpressRoute connectivity issues

  • Determine whether routes are correctly configured and operational

  • Validate the peering configuration for an ExpressRoute circuit

  • Reset an ExpressRoute circuit

  • Troubleshoot route filtering

  • Troubleshoot custom defined routes

  • Determine the root cause of latency issues related to ExpressRoute

Troubleshoot Platform as a Service issues (5–10%)

Troubleshoot PaaS services

  • Troubleshoot PaaS connectivity issues

  • Troubleshoot firewalls for PaaS services

  • Troubleshoot PaaS configuration issues

  • Determine the root cause for service-level throttling

Troubleshoot PaaS integration issues

  • Troubleshoot issues integrating PaaS services with virtual networks

  • Troubleshoot subnet delegation issues

  • Troubleshoot issues with private endpoints and service endpoints

  • Troubleshoot issues with Azure Private Link

Troubleshoot authentication and access control issues (15–20%)

Troubleshoot Microsoft Entra authentication

  • Determine why on-premises systems cannot access Azure resources

  • Troubleshoot Microsoft Entra configuration issues

  • Troubleshoot self-service password reset issues

  • Troubleshoot issues with multifactor authentication

Troubleshoot hybrid authentication

  • Troubleshoot issues with Microsoft Entra Connect and Microsoft Entra Connect cloud sync

  • Troubleshoot issues with integration between Microsoft Entra ID and Microsoft Entra Domain Services

  • Troubleshoot issues with integration between Microsoft Entra ID and Active Directory Federation Services (AD FS)

  • Troubleshoot issues with pass-through authentication and password hash synchronization

  • Troubleshoot issues with Microsoft Entra application proxy

Troubleshoot authorization issues

  • Troubleshoot role-based access control (RBAC) issues

  • Troubleshoot issues storing encrypted passwords in Azure Key Vault

  • Troubleshoot authorization issues related to Microsoft Entra Conditional Access policies

Troubleshoot networks (25–30%)

Troubleshoot Azure network security issues

  • Determine why Azure Web Application Firewall is blocking traffic

  • Troubleshoot encryption and certificate issues for point-to-site and site-to-site scenarios

  • Troubleshoot connectivity to secure endpoints

Troubleshoot Azure network security groups (NSGs)

  • Troubleshoot NSG configuration issues

  • Review and interpret NSG flow logs

  • Determine whether one or more Azure network interfaces (NICs) are associated with an application security group (ASG)

Troubleshoot Azure Firewall issues

  • Troubleshoot application, network, and infrastructure rules

  • Troubleshoot network address translation (NAT) and destination network address translation (DNAT) rules

  • Troubleshoot Azure Firewall Manager configuration issues

Troubleshoot latency issues

  • Determine the root cause for Azure VM-level throttling

  • Determine the root cause for latency issues when connecting to Azure VMs

  • Determine the root cause for throttling between source and destination resources

  • Troubleshoot bandwidth availability issues

  • Determine whether resource response times meet service-level agreements (SLAs)

Troubleshoot routing and traffic control

  • Review and interpret route tables

  • Troubleshoot issues caused by asymmetric routing

  • Troubleshoot issues with user-defined routes

  • Troubleshoot issues related to forced tunneling

  • Troubleshoot Border Gateway Protocol (BGP) issues

  • Troubleshoot service chaining

  • Troubleshoot routing configuration issues in Azure

Troubleshoot load-balancing issues

  • Determine whether VMs in a load-balanced backend pool are healthy

  • Troubleshoot issues with Azure Load Balancer

  • Review and interpret load balancer rules

  • Troubleshoot traffic distribution issues

  • Evaluate the configuration of Azure Traffic Manager

  • Troubleshoot issues with Azure Traffic Manager profiles

  • Troubleshoot port exhaustion issues

  • Troubleshoot issues with Azure Front Door

  • Troubleshoot issues with Azure Application Gateway

Troubleshoot VM connectivity issues (5–10%)

Troubleshoot Azure Bastion

  • Troubleshoot issues deploying Azure Bastion

  • Troubleshoot connectivity issues

  • Troubleshoot authorization issues

Troubleshoot just-in-time (JIT) VM access

  • Validate connectivity with an Azure VM

  • Troubleshoot JIT VM configuration issues

  • Troubleshoot JIT VM authorization issues