This chapter covers the shared responsibility model, a foundational concept in cloud computing that defines which security and operational tasks are handled by Microsoft Azure and which are handled by you, the customer. Understanding this model is critical for the AZ-900 exam because it appears in multiple questions across all domains, and it directly impacts cost, security, and compliance decisions. The Cloud Concepts domain (which includes this objective) carries approximately 25-30% of the exam weight, so mastering this topic is essential for passing.
Jump to a section
Imagine you live in a rented apartment. The building owner (landlord) is responsible for the roof, foundation, exterior walls, plumbing, and electrical wiring—the infrastructure you share with other tenants. You, as the tenant, are responsible for what's inside your unit: your furniture, your computer, your curtains, and your food in the fridge. If the roof leaks, you call the landlord. If your laptop breaks, you fix or replace it yourself. Now, if you own a house, you are responsible for everything: the roof, the foundation, and the interior. In the cloud, the shared responsibility model works exactly like this. The cloud provider (Azure) is the landlord—it secures the physical data centers, the network, and the hypervisor. You, the customer, are the tenant—you secure your data, your applications, and your user access. But there's a twist: Azure also offers managed services (like Azure SQL Database) where it takes on more responsibility, similar to a furnished apartment where the landlord provides and maintains the appliances. The key is that responsibility is never fully transferred; it's always shared. Understanding who does what—and where the line moves—is critical for security and compliance.
What Is the Shared Responsibility Model?
The shared responsibility model is a framework that clarifies the division of security and operational responsibilities between a cloud provider (Microsoft Azure) and the customer. In traditional on-premises data centers, the organization owns everything: the building, the servers, the network, the operating systems, the applications, and the data. The organization is 100% responsible for security, patching, uptime, and compliance. In the cloud, the provider takes on some of that responsibility, but not all. The exact split depends on the service model—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
Why Does It Exist?
The business problem the shared responsibility model solves is confusion and security gaps. Without a clear model, customers might assume the cloud provider secures everything, leading to data breaches. Conversely, providers might be blamed for issues that are actually the customer's fault. By explicitly defining responsibilities, both parties know what they must do. For example, Azure is responsible for the physical security of its data centers, but you are responsible for who has access to your virtual machines and how you configure network security groups.
How Does It Work? A Step-by-Step Mechanism
Azure's Always-Responsible Layers: Azure is always responsible for the physical infrastructure: data centers, servers, storage hardware, networking gear, and the hypervisor that virtualizes resources. Azure also manages the physical security of these facilities (guards, cameras, biometrics).
Customer's Always-Responsible Layers: You are always responsible for your data, your identities (users and groups), and the devices (phones, laptops) that connect to Azure. You decide who accesses what, how data is encrypted, and how compliance is met.
Variable Responsibility Layers: The operating system, network controls, applications, and identity infrastructure fall into a shared zone where responsibility shifts based on the service model.
Service Models and the Responsibility Shift
IaaS (e.g., Azure Virtual Machines): Azure provides the virtualized hardware (CPU, memory, storage, network). You deploy and manage the OS, runtime, applications, and data. You patch the OS, configure firewalls, and manage user accounts. Azure only ensures the underlying host is secure and the virtual machine can run.
PaaS (e.g., Azure App Service, Azure SQL Database): Azure manages the OS, runtime, and middleware. You only bring your application code and data. Azure handles patching, high availability, and backups. For example, with Azure SQL Database, Microsoft automatically applies security patches and manages the database engine, but you manage schema, user permissions, and data encryption keys.
SaaS (e.g., Microsoft 365, Dynamics 365): Azure manages everything except your data and user access. You simply use the software. Azure handles the application, OS, hardware, and even some security controls. You only manage your users' permissions and data.
On-Premises Equivalent
In an on-premises data center, your organization is responsible for everything: physical security, hardware maintenance, OS patching, application updates, and data protection. The shared responsibility model is a departure because it offloads many tasks to Azure, reducing operational overhead but requiring you to understand what you still own.
Azure Portal and CLI Touchpoints
- Azure Policy: You can enforce compliance by defining policies that restrict what resources can be created and how they are configured. This is a customer responsibility. - Role-Based Access Control (RBAC): You define who can access resources and what they can do. This is a customer responsibility. - Azure Security Center: Provides recommendations for both Azure and customer responsibilities. For example, it might flag that a VM is missing OS patches (customer responsibility) or that a storage account has weak encryption (customer responsibility). - CLI Example: To create a virtual machine, you specify the image, size, and network. Azure provisions the hardware, but you must then configure the OS:
az vm create --resource-group MyRG --name MyVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keysAfter creation, you SSH in and install updates, configure firewall rules, and add users.
Concrete Business Scenarios
- Scenario 1: Healthcare Company (HIPAA Compliance) A hospital moves its patient records to Azure SQL Database (PaaS). Azure is responsible for the database engine security and patching. The hospital is responsible for encrypting the data at rest (using Transparent Data Encryption) and managing access via Azure Active Directory. If the hospital fails to configure firewall rules to block public access, patient data could leak. That is not Azure's fault. - Scenario 2: E-commerce Startup (IaaS) A startup deploys a custom web application on Azure VMs. They must patch the OS, configure the web server (IIS), and manage the application code. Azure ensures the VM host is secure and the disk is durable. If the startup forgets to apply a critical OS patch and gets hacked, it is their responsibility. - Scenario 3: Large Enterprise (SaaS) A company uses Microsoft 365 for email and collaboration. Microsoft manages the service availability and security of the application. The company manages user accounts, password policies, and data retention. If a user accidentally shares a sensitive document externally, it is the company's responsibility to train users and set policies.
Identify your service model
Before determining responsibilities, you must know which cloud service model you are using: IaaS, PaaS, or SaaS. The model defines the boundary. For example, if you use Azure Virtual Machines (IaaS), you are responsible for the OS and above. If you use Azure App Service (PaaS), Azure manages the OS and runtime. If you use Microsoft 365 (SaaS), Azure manages almost everything except your data and users. This step is often overlooked in exams—questions will describe a workload and ask who is responsible for a specific task (e.g., patching the OS). The answer depends on the service model.
Map responsibilities to the model
Create a mental or actual diagram: On the left, list Azure's always-responsible items (physical security, hardware, network). On the right, list your always-responsible items (data, identities, devices). In the middle, list the shared items (OS, network controls, applications) and adjust their position based on the service model. For IaaS, the shared items are mostly on the customer side. For PaaS, they shift toward Azure. For SaaS, they are almost entirely on Azure. The exam tests this mapping, especially for PaaS where the boundary is often misunderstood.
Implement customer-side controls
Once you know your responsibilities, you must implement them. For example, if you are using IaaS, you need to: apply OS patches regularly, configure network security groups (NSGs) to restrict traffic, enable disk encryption (Azure Disk Encryption), and set up Azure Backup. If you are using PaaS, you need to: configure firewall rules (e.g., for Azure SQL Database), manage user permissions via RBAC, enable data encryption (e.g., Azure Storage Service Encryption), and set up monitoring (Azure Monitor). The exam may ask which tool you use for a specific task, such as 'Which Azure service helps you enforce OS patching?' (Answer: Azure Update Management or Azure Automation Update Management).
Verify compliance and audit
After implementing controls, you must verify that you are meeting compliance requirements. Use Azure Policy to enforce rules (e.g., 'All storage accounts must have encryption enabled'), Azure Security Center to get recommendations, and Azure Blueprints to deploy compliant environments. The exam tests that Azure Policy is used for governance and compliance, not for security monitoring (that's Azure Security Center). Also, remember that you are responsible for ensuring your data handling complies with regulations like GDPR, even if Azure provides compliant infrastructure.
Monitor and update continuously
The shared responsibility model is not static. As your workload evolves, responsibilities may shift. For example, you might migrate from IaaS to PaaS to reduce operational overhead. You must continuously monitor your environment using Azure Monitor and Azure Security Center. If a new vulnerability is discovered, you must act on your responsibilities (e.g., patch your OS). Azure will act on its responsibilities (e.g., patch the hypervisor). The exam may present a scenario where a security incident occurs and ask who is responsible—you must analyze the root cause (e.g., unpatched OS = customer; hardware failure = Azure).
Scenario 1: Financial Services Firm Adopting Azure Virtual Machines (IaaS)
A financial firm wants to move its legacy trading application to Azure VMs to avoid hardware refresh costs. The application requires specific OS configurations and third-party software. The firm's IT team creates VMs using the Azure portal and installs the OS, application, and security tools. They are responsible for patching the OS, configuring the Windows Firewall, and managing user accounts. Azure is responsible for the physical server, hypervisor, and storage replication. The firm uses Azure Backup to protect VM data. A common mistake is assuming Azure automatically patches the OS — it does not. If the firm fails to apply a critical patch, the VM could be compromised. The firm also uses Azure Security Center to get recommendations for missing patches. Cost considerations: IaaS VMs incur costs for compute, storage, and network egress. The firm must right-size VMs to avoid overspending.
Scenario 2: Retail Company Using Azure SQL Database (PaaS)
A retail company launches an e-commerce site and needs a scalable database. They choose Azure SQL Database (PaaS). Microsoft manages the database engine, applies security patches, and handles backups. The company is responsible for the schema, user permissions, and data encryption at rest (using Transparent Data Encryption). They configure a firewall rule to allow only the web app's IP address. They also set up Azure Active Directory authentication. A common error is assuming that because Azure manages the database, the company does not need to worry about SQL injection — but the company must still sanitize application inputs. If data is leaked due to a SQL injection vulnerability, it is the company's fault. The company uses Azure Policy to enforce that all SQL databases have threat detection enabled. Cost: PaaS pricing includes compute and storage, with options for serverless to reduce costs during low traffic.
Scenario 3: Nonprofit Using Microsoft 365 (SaaS)
A nonprofit adopts Microsoft 365 for email, document collaboration, and video conferencing. Microsoft manages the service availability, security of the application, and infrastructure. The nonprofit manages user accounts, password policies (e.g., requiring multi-factor authentication), and data retention (e.g., how long emails are kept). They also configure sharing policies to prevent external users from accessing sensitive documents. A common problem is that users inadvertently share confidential files with the public. The nonprofit must train staff and use Microsoft Purview (formerly Compliance Center) to set up data loss prevention (DLP) policies. If a security breach occurs due to a Microsoft vulnerability, Microsoft is responsible. If a user's account is compromised because they used a weak password, the nonprofit is responsible. Cost: SaaS is subscription-based; the nonprofit chooses a plan that fits their budget and number of users.
Objective Code: Describe the shared responsibility model (1.1)
This objective is tested in multiple ways. You will see scenario-based questions where you must determine who is responsible for a specific task (e.g., patching the OS, encrypting data, physical security). The correct answer always aligns with the service model described.
Common Wrong Answers and Why Candidates Choose Them
'Azure is responsible for everything.' Candidates choose this because they think 'cloud' means the provider handles all security. The reality is that the customer always has responsibilities (data, identities, devices).
'The customer is responsible for physical security.' This is a trick: candidates confuse on-premises with cloud. In the cloud, Azure handles physical security of data centers.
'For PaaS, the customer is responsible for the OS.' This is false. In PaaS, Azure manages the OS. Candidates might think PaaS is like IaaS, but the key difference is that PaaS abstracts the OS.
'The shared responsibility model only applies to security.' It also applies to operational tasks like patching, backups, and high availability. The exam tests this broader scope.
Specific Terms and Values That Appear Verbatim
'Always responsibilities of the customer': data, identities, on-premises devices, accounts, and compliance.
'Always responsibilities of Microsoft': physical datacenter security, hardware, network infrastructure, hypervisor.
'IaaS': customer manages OS, middleware, runtime, data; Azure manages virtualized hardware.
'PaaS': Azure manages OS, middleware, runtime; customer manages data and application.
'SaaS': Azure manages everything except data and access.
Edge Cases and Tricky Distinctions
Hybrid deployments: If you use Azure Stack (on-premises), the responsibility model shifts — you manage the hardware, but Azure manages the software stack. The exam may not test this deeply, but be aware.
Managed disks vs. unmanaged disks: Both are IaaS, but managed disks simplify management. Responsibility for data on the disk remains with the customer regardless.
Azure Active Directory (Azure AD): The customer manages users and groups (identities). Azure manages the service itself.
Memory Trick / Decision Tree
The 'PIE' method: - Physical & Infrastructure: Azure always responsible. - Identities & Data: Customer always responsible. - Everything else: Depends on service model (IaaS = customer, PaaS = shared, SaaS = Azure). For exam questions, first identify the service model. Then ask: Is this task related to physical hardware or the hypervisor? If yes, Azure. Is it related to data or user accounts? If yes, customer. Otherwise, apply the model: IaaS = customer, PaaS = Azure manages OS/ middleware, SaaS = Azure manages almost everything.
The shared responsibility model defines who is responsible for security and operations: Azure (physical infrastructure) vs. customer (data, identities, devices).
In IaaS, the customer is responsible for the OS, applications, and data; Azure manages the virtualized hardware.
In PaaS, Azure manages the OS and middleware; the customer manages the application and data.
In SaaS, Azure manages almost everything except the customer's data and user access.
The customer is always responsible for their own data, identities, and on-premises devices, regardless of service model.
Azure is always responsible for the physical security of datacenters, hardware, and the hypervisor.
The exam tests scenario-based questions: identify the service model, then determine responsibility for a specific task (e.g., patching, encryption).
These come up on the exam all the time. Here's how to tell them apart.
IaaS (Azure VM)
Customer manages OS, runtime, middleware, and data.
Azure manages virtualized hardware (CPU, memory, storage, network).
More control but more operational overhead (patching, backups).
Customer must configure high availability (e.g., availability sets).
Example: Deploying a custom application on a Windows Server VM.
PaaS (Azure App Service)
Azure manages OS, runtime, and middleware.
Customer manages application code and data.
Less control but less operational overhead (automatic patching).
Azure provides built-in high availability and scaling.
Example: Deploying a web app using .NET Core without managing the server.
Mistake
The cloud provider is responsible for all security in the cloud.
Correct
Security is a shared responsibility. The provider secures the cloud infrastructure, but the customer must secure their data, applications, and access. For example, Azure protects the physical datacenter, but you must configure firewalls and encrypt your data.
Mistake
In IaaS, Azure patches the operating system.
Correct
In IaaS, you are responsible for patching the OS. Azure only patches the underlying hypervisor and host OS. If you use a Windows VM, you must run Windows Update.
Mistake
PaaS means the customer has no security responsibilities.
Correct
Even in PaaS, the customer is responsible for data, user access, and application-level security. For example, with Azure SQL Database, you must manage firewall rules and user permissions.
Mistake
SaaS means the customer has no responsibilities at all.
Correct
In SaaS, the customer is still responsible for their data, user identities, and compliance. For example, in Microsoft 365, you manage user accounts and data retention policies.
Mistake
The shared responsibility model is static and never changes.
Correct
The model is dynamic. If you change service models (e.g., from IaaS to PaaS), responsibilities shift. Also, new Azure services may introduce different boundaries. Always review the documentation for each service.
The customer is responsible. In IaaS (Azure VMs), Azure patches the hypervisor and host OS, but you must patch the guest OS (Windows or Linux) running inside the VM. You can use Azure Update Management to automate patching, but the responsibility remains yours. Exam tip: If the scenario mentions a VM, assume the customer handles OS patching unless it's a PaaS service like Azure App Service.
No. Azure is responsible for the physical security of its datacenters, including guards, cameras, and access controls. The customer never has physical access to the hardware. This is a common exam question—remember that physical security always falls on Azure.
The customer is always responsible for their data (including encryption and compliance), identities (users, groups, passwords), on-premises devices (laptops, phones), and accounts. Even in SaaS, you manage who can access the service and what data is stored.
Yes. Azure Functions is a PaaS service (serverless compute). Azure manages the infrastructure and runtime; you are responsible for your function code, data, and access permissions. For example, you must secure the function's endpoints and manage connection strings.
Compliance is a shared responsibility. Azure provides compliant infrastructure (e.g., ISO 27001, HIPAA), but you must ensure your data handling and configurations meet regulatory requirements. For example, if you need to encrypt data at rest, you must enable encryption on your storage account—Azure does not do it automatically.
That is the customer's responsibility. NSGs are a customer-managed control. If you leave a port open to the internet and a breach occurs, Azure is not responsible. The exam will test that configuration errors fall under customer responsibility.
No. Even with full SaaS, the customer always retains responsibility for their data and identities. There is no model where Azure takes 100% responsibility. This is a foundational principle of the shared responsibility model.
You've just covered The Shared Responsibility Model — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?