This chapter covers the shared responsibility model in Microsoft Azure, a foundational concept for AZ-900. Understanding who is responsible for what in the cloud is critical because it directly impacts security, compliance, and cost. The Cloud Concepts domain (15-20% of the exam) tests your grasp of this model, and you will see multiple questions on this topic. We'll break down the model, how it varies by service type, and common exam traps.
Jump to a section
Imagine you're renting a house. The landlord (Microsoft Azure) is responsible for the structure: the roof, walls, foundation, plumbing, and electrical wiring. They ensure the building is safe from external threats like storms or fires affecting the entire neighborhood. However, you, the tenant (customer), are responsible for what's inside: locking the doors and windows, setting the alarm, securing your valuables, and deciding who gets keys. If you leave a window open and someone steals your laptop, that's your fault—not the landlord's. Similarly, in the cloud, Azure secures the physical datacenters, network infrastructure, and hypervisor, but you must secure your data, applications, and access controls. The shared responsibility model defines these boundaries. The key mechanism: responsibility shifts based on the service model (IaaS, PaaS, SaaS). In IaaS, you manage more (like securing the virtual machine's operating system), while in SaaS, Azure manages almost everything except your data and user access. This division is contractual and operational—understanding it prevents security gaps.
What is the Shared Responsibility Model?
The shared responsibility model defines the division of security and compliance obligations between the cloud provider (Azure) and the customer. In traditional on-premises datacenters, the organization owns everything—from physical security to application data. In the cloud, Azure takes on some of these responsibilities, but not all. The business problem: customers often assume the cloud provider secures everything, leading to data breaches. The model clarifies boundaries, so both parties understand their duties.
How the Model Works Step by Step
Azure's Always-Responsible Layers: Microsoft is responsible for the physical security of datacenters (guards, cameras, biometrics), the hardware (servers, storage, networking), the hypervisor (the software that virtualizes hardware), and the core network (routers, switches, firewalls protecting the Azure backbone). This is non-negotiable and applies to all services.
Customer's Always-Responsible Layers: The customer is always responsible for their data (including classification, encryption, and backup), identities (user accounts, passwords, multi-factor authentication), and on-premises resources connected to Azure (like a hybrid network). Even in SaaS, you control who accesses your data.
3. Variable Responsibility by Service Model: - IaaS (Infrastructure as a Service): You manage the virtual machine's operating system, applications, data, and network controls (e.g., Network Security Groups). Azure manages the physical host, hypervisor, and storage infrastructure. - PaaS (Platform as a Service): Azure manages the runtime, middleware, and OS. You manage your data, application code, and access policies. For example, in Azure SQL Database, Azure handles the database engine patches; you manage the database schema and user permissions. - SaaS (Software as a Service): Azure manages almost everything—the application, runtime, OS, and infrastructure. You only manage data, user access, and device policies (e.g., Microsoft 365 admin center).
Compliance and Auditing: Responsibilities extend to compliance certifications. Azure maintains certifications for its infrastructure (e.g., ISO 27001, SOC 2). Customers must ensure their configurations meet compliance requirements. For example, Azure may provide encryption at rest, but you must enable it and manage keys.
Key Components and Boundaries
Physical Security: Azure's responsibility. Datacenters are hardened facilities with strict access controls.
Network Security: Shared. Azure protects the physical network and provides DDoS protection. You configure firewalls, virtual networks, and traffic rules.
Identity and Access: Customer responsibility. Use Azure Active Directory (Azure AD) to manage users and enforce MFA.
Data Classification and Compliance: Customer responsibility. You must classify data (e.g., public, confidential) and apply appropriate controls (encryption, retention policies).
Patching: Varies. In IaaS, you patch OS and apps. In PaaS, Azure patches the platform; you patch your code. In SaaS, Azure patches everything (e.g., Microsoft 365 updates).
Comparison to On-Premises
In an on-premises datacenter, your organization is 100% responsible for everything: physical security, hardware maintenance, power, cooling, network, OS, applications, data. The shared responsibility model offloads the physical and infrastructure layers to Azure. The more you move to PaaS or SaaS, the less you manage. This reduces operational overhead but requires clear understanding of boundaries to avoid security gaps.
Azure Portal and CLI Touchpoints
In the Azure portal, you can see responsibility indicators in service blades. For example, under a virtual machine's "Security" section, you see recommendations for OS patches (your responsibility). Use Azure Policy to enforce compliance. With CLI, you can check resource configurations:
az vm show --name MyVM --resource-group MyRG --query "storageProfile.osDisk.managedDisk.storageAccountType"This shows the disk type—encryption settings are your responsibility.
Get-AzVM -Name MyVM -ResourceGroupName MyRG | Select-Object -Property Name, ResourceGroupName, LocationThe command retrieves VM info; security configurations like NSG rules are separate.
Concrete Business Scenarios
A bank moving a customer-facing app to Azure: The bank chooses PaaS (App Service) to avoid patching the OS. Azure secures the platform; the bank secures the app code, uses Azure AD for authentication, and encrypts customer data. If a breach occurs due to a weak password policy, the bank is responsible.
A healthcare provider using IaaS for legacy apps: They manage the VMs, including OS patching and firewall rules. Azure ensures the physical host is secure. If they miss a critical patch, they are liable for vulnerabilities.
Summary of Responsibility Table
| Layer | IaaS | PaaS | SaaS | |-------|------|------|------| | Data | Customer | Customer | Customer | | Applications | Customer | Customer | Azure | | OS | Customer | Azure | Azure | | Hypervisor | Azure | Azure | Azure | | Physical | Azure | Azure | Azure |
This table is exam-critical.
Identify Service Model
Determine whether you are using IaaS, PaaS, or SaaS for the resource in question. This is the first step because responsibility shifts dramatically. For example, if you deploy a virtual machine, you're using IaaS. If you use Azure SQL Database, it's PaaS. If you use Microsoft 365, it's SaaS. The exam often presents a scenario and asks who is responsible for a specific task—you must classify the service first.
List Always-Azure Responsibilities
Regardless of service model, Azure is always responsible for physical security, hardware, network infrastructure, and the hypervisor. These are non-negotiable. For example, if a datacenter suffers a power outage, Azure handles backup power. If a hard drive fails, Azure replaces it. You do not need to worry about these—they are not your responsibility in any scenario.
List Always-Customer Responsibilities
You are always responsible for your data, identities, and on-premises resources. This includes data classification, encryption keys (if you use customer-managed keys), user accounts, and compliance with regulations like GDPR. Even in SaaS, if you grant admin access to an unauthorized user, it's your fault. Also, any on-premises devices connected to Azure (e.g., a VPN gateway) are your responsibility.
Check Variable Responsibilities by Layer
For each layer (application, OS, runtime, etc.), determine if Azure or the customer manages it. Use a mental checklist: In IaaS, you manage the OS and above. In PaaS, you manage data and app code. In SaaS, you manage only data and user access. For example, patching the database engine in Azure SQL Database is Azure's job; patching your application code is yours. The exam loves to test these nuances.
Apply Compliance and Policy Requirements
Even if Azure manages a layer, you must ensure your configuration meets compliance standards. For example, Azure provides encryption at rest by default for many services, but you must enable it for some (like Azure Storage). Use Azure Policy to enforce settings. If a compliance audit finds data unencrypted, you are responsible—not Azure. This step is often overlooked by candidates.
Scenario 1: E-Commerce Platform on IaaS
A retail company deploys its e-commerce site on Azure VMs (IaaS). They are responsible for securing the OS, installing web server software, and configuring firewalls. Azure secures the physical host and hypervisor. The team configures Network Security Groups (NSGs) to allow only HTTP/HTTPS traffic. They also install anti-malware and apply monthly OS patches. If they miss a critical patch and attackers exploit a vulnerability, the company bears the liability. Common mistake: they assume Azure automatically patches the OS—it does not. They must set up Update Management or use Azure Automation. Cost: VMs plus patching overhead. Incorrect setup leads to breaches.
Scenario 2: SaaS Email Migration
A law firm migrates to Microsoft 365 (SaaS). Azure manages the email server, spam filtering, and uptime. The firm is responsible for user accounts, MFA, and data retention policies. They configure Azure AD to enforce MFA and create retention tags for legal holds. If an employee's account is compromised due to a weak password, the firm is responsible. If Microsoft's email service goes down, Azure is responsible (subject to SLA). Common problem: firms assume Microsoft backs up all data; but if they delete a mailbox, recovery may require Microsoft support within a limited window. Misunderstanding leads to data loss.
Scenario 3: PaaS Database for Healthcare
A healthcare provider uses Azure SQL Database (PaaS) for patient records. Azure handles database engine patches, backups, and replication. The provider manages the database schema, user permissions, and data encryption. They enable Transparent Data Encryption (TDE) and use Azure Key Vault for keys. If a developer accidentally deletes a table, the provider is responsible for restoring from backups (which Azure automates but they must configure retention). If Azure fails to apply a security patch, Azure is responsible. Scale: they start with a single database and scale to a managed instance. Cost: PaaS reduces operational overhead but requires governance.
AZ-900 Objective 1.1: Describe the Shared Responsibility Model
The exam tests your ability to identify who is responsible for specific security tasks based on the service model. You will see scenario-based questions like: "A company uses Azure VMs. Who is responsible for applying OS security patches?" Answer: The customer. For Azure SQL Database, who is responsible for applying database engine patches? Answer: Microsoft.
Top 4 Wrong Answers and Why Candidates Choose Them
"Azure is responsible for everything in the cloud." Candidates assume cloud means fully managed. Reality: Azure secures the infrastructure, but you secure your data and access. This trap appears in questions about data encryption or user access.
"The customer is always responsible for the OS." This is false for PaaS and SaaS. In PaaS, Azure manages the OS. In SaaS, Azure manages the application. Candidates forget the variable nature.
"Physical security is shared." No—Azure handles physical security entirely. Candidates think they might need to secure datacenter access, but that's Azure's job.
"Compliance certifications transfer to the customer." Azure's certifications do not automatically cover your configurations. You must align your use of Azure with compliance requirements. Candidates often assume Azure's SOC 2 certification covers their app.
Specific Terms and Values
IaaS: Infrastructure as a Service (e.g., Azure VMs)
PaaS: Platform as a Service (e.g., Azure SQL Database, App Service)
SaaS: Software as a Service (e.g., Microsoft 365, Dynamics 365)
On-premises: Customer 100% responsible
Always Azure: Physical security, hardware, network, hypervisor
Always Customer: Data, identities, on-premises resources
Edge Cases and Tricky Distinctions
Hybrid deployments: On-premises resources remain your responsibility even if connected to Azure.
Azure Active Directory: You manage identity; Azure provides the service.
Encryption: Azure may provide default encryption (e.g., Azure Storage SSE), but you must manage keys if using customer-managed keys.
Container services: AKS (Azure Kubernetes Service) is PaaS for the control plane; you manage worker nodes (IaaS-like). The exam may test this nuance.
Memory Trick: The "Ice Cream Sundae" Model
Think of an ice cream sundae: The bowl (physical infrastructure) is Azure's. The ice cream (hypervisor/OS) is Azure's in PaaS/SaaS, yours in IaaS. The toppings (data/apps) are always yours. The sprinkles (identities) are yours. This helps remember layers.
The shared responsibility model defines who secures what: Azure always secures physical infrastructure, hypervisor, and core network.
Customers are always responsible for their data, identities, and on-premises resources.
Responsibility varies by service model: IaaS (customer manages OS and above), PaaS (customer manages data and app code), SaaS (customer manages data and access only).
In IaaS, customers must patch the OS; in PaaS, Azure patches the platform; in SaaS, Azure patches everything.
Azure's compliance certifications do not automatically cover customer workloads—customers must configure services to meet compliance.
The exam tests scenario-based questions: identify who is responsible for a specific task based on the service model.
Common trap: assuming Azure is responsible for all security—remember the customer's always-responsible layers.
These come up on the exam all the time. Here's how to tell them apart.
IaaS (Virtual Machines)
Customer manages OS and applications
Customer responsible for OS patching
Customer configures network security (NSGs)
Azure manages physical host and hypervisor
Higher operational overhead
PaaS (Azure SQL Database)
Azure manages OS and database engine
Azure responsible for database engine patching
Azure manages network infrastructure; customer configures firewall rules
Azure manages physical host, hypervisor, and runtime
Lower operational overhead
Mistake
Azure is responsible for all security in the cloud.
Correct
Azure secures the infrastructure, but customers are responsible for securing their data, identities, and configurations. The shared responsibility model divides duties.
Mistake
In IaaS, Azure patches the operating system.
Correct
In IaaS, the customer manages the OS, including patches. Azure patches the hypervisor and physical host only.
Mistake
Compliance certifications like ISO 27001 automatically apply to customer workloads.
Correct
Azure's certifications apply to its infrastructure. Customers must configure their services to meet compliance requirements. The certification does not cover customer data or configurations.
Mistake
The customer is responsible for physical security of Azure datacenters.
Correct
Azure is fully responsible for physical security (guards, cameras, access controls). Customers have no physical access to datacenters.
Mistake
In SaaS, the customer is responsible for application code.
Correct
In SaaS, Azure manages the application code. The customer is responsible for data, user access, and device policies. For example, in Microsoft 365, Microsoft handles the email server code; you manage mailboxes and permissions.
The customer is responsible. In IaaS, Azure manages the physical host and hypervisor, but the virtual machine's OS is managed by the customer. You must apply OS patches using tools like Windows Update or Azure Update Management. The exam will present this scenario; the correct answer is the customer.
Azure automatically performs backups of Azure SQL Database (full, differential, and transaction log backups) and retains them based on the configured retention period (default 7 days for basic tier). However, you are responsible for defining the backup policy and initiating point-in-time restores. If you need longer retention, you must configure long-term retention. So, Azure handles the backup process, but you manage the policy and restoration.
Azure is entirely responsible for physical security. This includes guards, biometric access controls, surveillance cameras, and environmental controls (power, cooling). Customers have no physical access to Azure datacenters. The exam tests this as an always-Azure responsibility.
No. Microsoft 365 is a SaaS offering. Microsoft manages the entire application stack, including the email server software and its patches. Your responsibilities are limited to managing user accounts, data, and access policies (e.g., MFA, retention policies). The exam may ask about SaaS responsibilities; remember that Azure handles the application and platform layers.
No. Azure's SOC 2 certification covers the infrastructure and services provided by Azure. Your application's compliance depends on how you configure and use those services. You must implement additional controls (e.g., encryption, access management) to achieve SOC 2 compliance for your workload. The exam tests this distinction: certifications apply to Azure, not automatically to customer solutions.
The customer is responsible for the on-premises server. The shared responsibility model applies only to cloud resources. On-premises infrastructure remains 100% the customer's responsibility, even if it is connected to Azure via VPN or ExpressRoute. The exam may include hybrid scenarios; remember that Azure's responsibility ends at the cloud boundary.
In IaaS, you are responsible for configuring network security groups (NSGs), firewalls, and routing for your virtual networks. Azure protects the physical network infrastructure. In PaaS, Azure manages the underlying network, but you can configure firewall rules at the service level (e.g., Azure SQL Database firewall). You also control network isolation via virtual network integration. The exam tests that in PaaS, Azure handles more of the network stack, but you still have security configuration duties.
You've just covered Shared Responsibility in Azure Cloud — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?