Quick answer: The AZ-900 exam tests foundational cloud knowledge. Domain 1 (Cloud Concepts) covers service models (IaaS, PaaS, SaaS), the shared responsibility model (who secures what), and deployment models (public, private, hybrid). Master these to score 25-30% of your exam points.
Why Cloud Concepts Matter for AZ-900
Domain 1 of the AZ-900 exam—Cloud Concepts—carries 25-30% of the total score. It’s the foundation for everything else. You’ll need to distinguish between IaaS, PaaS, and SaaS, explain the shared responsibility model (the most-tested topic), and compare public, private, and hybrid clouds. Without this, you’ll struggle on later domains like architecture and security.
Think of it this way: if you can’t explain who patches the OS in PaaS vs. IaaS, you’re leaving easy points on the table. Let’s break it down with concrete Azure examples.
IaaS, PaaS, and SaaS: The Service Models with Azure Examples
Azure offers three primary service models. Each shifts responsibility between you and Microsoft.
Infrastructure as a Service (IaaS)
What it is: You rent virtualized computing resources—VMs, storage, networks. You manage the OS, middleware, and apps; Microsoft handles the physical hardware.
Azure examples:
- Azure Virtual Machines – Deploy a Windows or Linux VM. You choose the size, install software, configure firewalls.
- Azure Virtual Network – Create subnets, route traffic, set up VPNs.
- Azure Blob Storage – Store unstructured data; you control access policies.
When to use: Lift-and-shift migrations, custom environments, legacy apps needing full control.
Platform as a Service (PaaS)
What it is: You deploy apps without managing the underlying infrastructure. Microsoft manages the OS, runtime, and middleware.
Azure examples:
- Azure App Service – Host web apps or APIs. Scale automatically; no VM management.
- Azure SQL Database – Managed relational database. Microsoft handles patching, backups, high availability.
- Azure Functions – Serverless compute. Write code triggered by events; pay per execution.
When to use: Rapid development, microservices, reducing operational overhead.
Software as a Service (SaaS)
What it is: You use fully managed software over the internet. Microsoft (or a third party) handles everything—infrastructure, platform, and app.
Azure examples:
- Microsoft 365 – Email, Office apps, Teams.
- Dynamics 365 – CRM and ERP tools.
- Azure DevOps – Development pipelines, boards, repos.
When to use: Standard business processes, no custom infrastructure needs.
Comparison Table
| Aspect | IaaS | PaaS | SaaS |
|---|---|---|---|
| You manage | Apps, data, runtime, OS, middleware | Apps, data | Nothing |
| Azure manages | Virtualization, servers, storage, networking | Runtime, OS, middleware, infrastructure | Everything |
| Example | Azure VM | Azure App Service | Microsoft 365 |
| Flexibility | High | Medium | Low |
The Shared Responsibility Model: Most-Tested Topic
This is the #1 concept in Domain 1. Expect at least 3-5 questions on it.
Core idea: Security and management responsibility is shared between you and Microsoft. The split depends on the service model.
- On-premises: You own everything—physical security, hardware, OS, apps.
- IaaS: Microsoft secures the physical datacenter, network, and hypervisor. You secure the OS, apps, data, and network controls (like NSGs).
- PaaS: Microsoft secures the runtime, OS, and infrastructure. You secure your data, access policies, and app code.
- SaaS: Microsoft secures everything. You only manage data classification, user access, and device compliance.
Key exam tip: The shared responsibility model is always about who is responsible for what, not who owns the hardware. For example, in PaaS, you still own your data and must control who accesses it.
Real-world scenario: You deploy a web app on Azure App Service (PaaS). A SQL injection vulnerability in your code exposes customer data. That’s your fault, not Microsoft’s. But if the Azure SQL Database patching cycle misses a critical security update, that’s Microsoft’s responsibility.
Cloud Deployment Models: Public, Private, Hybrid
Public Cloud
What it is: Resources owned and operated by a third-party provider (Microsoft) and shared across tenants. Azure example: Azure public regions (East US, West Europe). Pros: No capital expenditure, elastic scaling, pay-as-you-go. Cons: Less control, potential compliance concerns.
Private Cloud
What it is: Resources used exclusively by one organization, managed on-premises or by a third party. Azure example: Azure Stack HCI – run Azure services in your own datacenter. Pros: Full control, compliance-friendly, predictable costs. Cons: Higher upfront investment, limited scale.
Hybrid Cloud
What it is: Combines public and private clouds, allowing data and apps to share. Azure example: Azure Arc – manage on-premises servers alongside Azure resources. Pros: Flexibility, leverage existing investments, disaster recovery. Cons: Complexity, network latency.
Exam tip: The AZ-900 expects you to know that hybrid is not just “two clouds”—it’s specifically a mix of public and private, with orchestration between them.
10 AZ-900 Cloud Concepts Practice Questions
Test your understanding with these AZ-900 cloud concepts practice questions. Answers are below.
A company wants to migrate a legacy app to Azure but needs full control over the OS and installed software. Which service model fits best?
- A) SaaS
- B) PaaS
- C) IaaS
- D) Serverless
In the shared responsibility model, who is responsible for patching the operating system in a PaaS deployment?
- A) The customer
- B) Microsoft
- C) Both
- D) Neither
Which cloud deployment model uses dedicated infrastructure for a single organization but can be managed by a third party?
- A) Public cloud
- B) Private cloud
- C) Hybrid cloud
- D) Community cloud
A hospital uses Azure SQL Database (PaaS) to store patient records. Who is responsible for encrypting the data at rest?
- A) Microsoft, because it’s PaaS
- B) The hospital, because they own the data
- C) Both, through shared encryption keys
- D) The cloud provider
Which Azure service is an example of SaaS?
- A) Azure Virtual Machines
- B) Azure App Service
- C) Microsoft 365
- D) Azure Functions
A startup needs to deploy a web app quickly without managing servers. They choose Azure App Service. This is an example of:
- A) IaaS
- B) PaaS
- C) SaaS
- D) On-premises
In a hybrid cloud, where are sensitive workloads typically run?
- A) Public cloud only
- B) Private cloud only
- C) Either, based on compliance needs
- D) Always on-premises
Which statement about the shared responsibility model is true?
- A) Microsoft is always responsible for physical security
- B) The customer is always responsible for data
- C) Both A and B
- D) Neither
A company uses Azure Virtual Machines (IaaS) to run a custom application. Who manages the guest OS updates?
- A) Microsoft
- B) The customer
- C) The application vendor
- D) No one
Which cloud model offers the greatest flexibility and control?
- A) SaaS
- B) PaaS
- C) IaaS
- D) Serverless
Answers:
- C (IaaS gives full OS control)
- B (Microsoft handles OS patching in PaaS)
- B (Private cloud, even if third-party managed)
- B (The hospital owns the data; Microsoft provides tools)
- C (Microsoft 365 is a SaaS offering)
- B (App Service is PaaS)
- C (Hybrid allows placement based on compliance)
- C (Microsoft handles physical security; customer handles data)
- B (In IaaS, the customer manages the guest OS)
- C (IaaS provides full control over OS and apps)
Final Takeaway and Next Steps
Mastering Domain 1—IaaS, PaaS, SaaS, the shared responsibility model, and deployment models—gives you a solid foundation for the AZ-900. The shared responsibility model is the most-tested topic; practice explaining it with concrete examples.
For more AZ-900 cloud concepts practice questions and full-length practice exams, visit Courseiva.com. Our free resources include scenario-based questions that mirror the real exam. No fluff, just what you need to pass.