AZ-720

Explanation:
BOX1: Review the output of the route print command on the client computer. A Windows VPN connection is a point-to-site connection that allows a client computer to connect to an Azure virtual network gateway using IKEv2 or SSTP protocols1. To troubleshoot Windows VPN connectivity issues, you need to check the configuration and status of the VPN client on the client computer.
One of the common problems that can cause Windows VPN connectivity issues is incorrect routing configuration on the client computer1. The client computer needs to have a route that directs the traffic destined for the target subnet in Azure to the VPN interface. If the route is missing or incorrect, the traffic will not reach the Azure virtual network gateway.
To check the routing configuration on the client computer, you can use the route print command in a command prompt window. This command displays the routing table of the client computer, which shows the destination network, the gateway address, and the interface for each route2. You can compare the output of this command with the expected routes for your VPN connection.
For example, if your target subnet in Azure is 10.0.0.0/24 and your VPN interface has an IP address of 172.16.0.1, you should see a route like this in the output of route print: Destination Network | Gateway Address | Interface 10.0.0.0/24 | On-link | 172.16.0.1
This route means that any traffic destined for 10.0.0.0/24 will be sent directly to the VPN interface (On-link) with an IP address of 172.16.0.1.
If you do not see this route or see a different gateway address or interface, you need to correct the routing configuration on the client computer. You can use the route add command to add a new route or use the route change command to modify an existing route 2.
Box 2: Download the VPN client package and install it on the client computer
A Windows VPN connection is a point-to-site connection that allows a client computer to connect to an Azure virtual network gateway using IKEv2 or SSTP protocols1. To establish a Windows VPN connection, you need to install a VPN client package on the client computer that contains the configuration files and certificates required for the connection1. One of the common problems that can cause Windows VPN connectivity issues is missing or outdated VPN client package on the client computer1. The VPN client package may be missing if it was not installed properly or deleted accidentally. The VPN client package may be outdated if the Azure virtual network gateway configuration has changed since the package was downloaded.
To resolve this problem, you need to download the latest VPN client package from the Azure portal and install it on the client computer1.
To download the VPN client package, follow these steps:
✑ Go to the Azure portal and select your virtual network gateway.
✑ On the Overview page, click Point-to-site configuration.
✑ On the Point-to-site configuration page, click Download VPN client.
✑ Select the appropriate version of Windows for your client computer and click Download.
✑ Extract the contents of the downloaded ZIP file to a folder on your client computer.
✑ Run the executable file in the folder to install the VPN client package.

Explanation:
Box 1: Configure service endpoint for subnet on VNet2 and VNet3.
This is what you should do to resolve issues accessing contosostorage1 from VNet2 and VNet3. A service endpoint is a feature that enables you to secure your Azure Storage account to a specific virtual network subnet1.
As mentioned in the scenario, contosostorage1 is a storage account that has firewall and virtual network settings enabled. This means that only requests from allowed networks can access the storage account2. By default, storage accounts accept connections from clients on any network, but you can configure firewall rules to allow or deny access based on the source IP address or virtual network subnet2.
In this scenario, you want to allow access to contosostorage1 from VNet2 and VNet3, which are peered with VNet1. To do this, you need to configure service endpoints for the subnets on VNet2 and VNet3 that need to access the storage account1. A service endpoint is a feature that enables you to secure your Azure Storage account to a specific virtual network subnet1. When you enable a service endpoint for a subnet, you can then grant access to the storage account only from that subnet1. This way, you can restrict access to your storage account and improve network performance by routing traffic through an optimal path.
To configure service endpoints for a subnet using the Azure portal, follow these steps1:
✑ In the Azure portal, navigate to the Virtual Network resource.
✑ Select Subnets, then select the subnet that needs to access the storage account.
✑ Under Service endpoints, select Microsoft.Storage from the drop-down list.
✑ Select Save to apply the changes.
To configure service endpoints for a subnet using the Azure CLI or PowerShell, see Enable a service endpoint.
After configuring service endpoints for the subnets on VNet2 and VNet3, you also need to grant access to contosostorage1 from those subnets. To do this, you need to modify the firewall rules on the storage account2.
To modify the firewall rules on the storage account using the Azure portal, follow these steps2:
✑ In the Azure portal, navigate to the Storage Account resource.
✑ Select Firewalls and virtual networks under Settings.
✑ Under Allow access from selected networks, select Add existing virtual network.
✑ Select the virtual network and subnet that have service endpoints enabled for Microsoft.Storage.
✑ Select Add to save the changes.
To modify the firewall rules on the storage account using the Azure CLI or PowerShell, see Configure Azure Storage firewalls and virtual networks.
Box 2: Configure the firewall settings on contosostorage1.
The issue reported is that on-premises connections to contosostorage1 are unsuccessful. The main reason for this could be that the firewall settings on the storage account are blocking the connections. By configuring the firewall settings on contosostorage1 to allow the on-premises IP addresses, you can ensure that the on-premises connections are successful.
As mentioned in the scenario, contosostorage1 is a storage account that has firewall and virtual network settings enabled. This means that only requests from allowed networks can access the storage account1. By default, storage accounts accept connections from clients on any network, but you can configure firewall rules to allow or deny access based on the source IP address or virtual network subnet1.
In this scenario, you want to allow access to contosostorage1 from the on-premises environment, which is connected to Azure using a Site-to-Site VPN connection. A Site-to-Site VPN connection lets you create a secure connection between your on-premises network and an Azure virtual network over an IPsec/IKE VPN tunnel2. To allow access to contosostorage1 from the on-premises environment, you need to configure the firewall settings on contosostorage1 to include the public IP address of your VPN device or gateway3.
To configure the firewall settings on contosostorage1 using the Azure portal, follow these steps1:
✑ In the Azure portal, navigate to the Storage Account resource.
✑ Select Firewalls and virtual networks under Settings.
✑ Under Allow access from selected networks, select Add existing virtual network.
✑ Select VNet1 and the subnet that has service endpoints enabled for Microsoft.Storage.
✑ Under Firewall, enter the public IP address of your VPN device or gateway under Address Range.
✑ Select Save to apply the changes.
To configure the firewall settings on contosostorage1 using the Azure CLI or PowerShell, see Configure Azure Storage firewalls and virtual networks.

Explanation:
JIT VM access is only supported for VMs that are deployed using the Azure Resource Manager (ARM) deployment model. VMs that are provisioned using the classic deployment model are not compatible with JIT VM access and will be displayed under the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.

Explanation:
No, restarting the Azure AD Connect service would not resolve the issue described in the scenario. The error message "Error getting auth token" indicates there is a problem with authentication, which is preventing password writeback from being enabled during the Azure AD Connect configuration.
To resolve this issue, you should first confirm that the Azure AD Connect server can authenticate to the Azure AD tenant by using a valid set of credentials. If authentication is successful, then you can investigate other possible causes such as network connectivity issues, misconfigured firewall rules, expired certificates, etc.
Therefore, the correct answer is option B, "No".
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-authentication
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-writeback#troubleshooting-steps