This chapter covers the three primary cloud service types — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) — plus related models like Desktop as a Service (DaaS) and Function as a Service (FaaS). Understanding these models is critical for the MS-900 exam because approximately 20% of questions test your ability to identify, compare, and select the appropriate service type for given scenarios. You must know the shared responsibility model, the differences in management scope, and real-world examples of each service from Microsoft 365 and Azure.
Jump to a section
Imagine you want to host a pizza party. You have three levels of involvement. First, you can make everything from scratch: buy flour, yeast, tomatoes, cheese, toppings, grow your own herbs, build an oven, and cook it yourself. That's like managing your own on-premises data center: you control every layer, but you're responsible for procurement, maintenance, and everything else. Second, you can buy a pre-made pizza kit from a store: the dough is ready, sauce is bottled, cheese shredded, and you just assemble, bake, and serve. This is Platform as a Service (PaaS): the cloud provider gives you the runtime environment, middleware, and OS, but you still write and deploy your application code. Third, you can order a fully baked pizza delivered to your door. You just eat it. That's Software as a Service (SaaS): the provider handles everything — hardware, OS, application — and you just use the software. Infrastructure as a Service (IaaS) is like ordering a pizza base and toppings separately and assembling them yourself: you get raw compute, storage, and networking, and you build your platform on top. Each model shifts responsibility from you to the provider, exactly like moving from homemade to delivery pizza.
What Are Cloud Service Types and Why Do They Exist?
Cloud service types define the level of abstraction and control a customer has over cloud resources. They exist because different workloads require different trade-offs between control, flexibility, and management overhead. The cloud provider offers varying degrees of responsibility: in some models you manage everything above the hypervisor; in others you only manage application data. The three fundamental models are IaaS, PaaS, and SaaS, standardized by NIST SP 800-145. Microsoft 365 is primarily SaaS, but Azure services span IaaS and PaaS. The MS-900 exam expects you to classify services correctly and map them to business needs.
The Shared Responsibility Model
The shared responsibility model is the core framework for understanding cloud service types. It defines which security and management tasks are handled by the provider versus the customer. The model varies by service type:
On-premises: Customer manages everything.
IaaS: Customer manages OS, applications, data, and network controls; provider manages physical hardware, storage, networking, and hypervisor.
PaaS: Customer manages applications and data; provider manages OS, middleware, runtime, and infrastructure.
SaaS: Customer manages data and user access; provider manages everything else.
Key exam point: The customer is ALWAYS responsible for their own data and identities, regardless of service type. This is a common trick — questions may imply the provider secures your data in SaaS, but responsibility is shared.
Infrastructure as a Service (IaaS)
IaaS provides virtualized computing resources over the internet. You get virtual machines (VMs), virtual networks, and storage, but you must install and configure the OS, middleware, and applications. Azure Virtual Machines is the primary IaaS offering. Key characteristics: - Full control over the OS and applications. - Pay-as-you-go for compute hours, storage, and networking. - Scalability via manual scaling or VM scale sets. - Responsibility: Customer handles OS patches, application updates, security software, and network configuration.
Common exam scenarios: lift-and-shift migration of legacy apps, running custom software with specific OS requirements, or needing full administrative access.
Platform as a Service (PaaS)
PaaS delivers a managed platform for developing, running, and managing applications without the complexity of building and maintaining the underlying infrastructure. Azure App Service is a prime example. Key characteristics: - Managed runtime: The provider handles OS updates, patching, and scaling. - Built-in services: Load balancing, auto-scaling, monitoring, and CI/CD integration. - Developer focus: You only deploy code; no server management. - Responsibility: Provider manages OS, runtime, middleware; customer manages application code and data.
Common exam scenarios: web applications, APIs, mobile backends, and containerized apps (Azure Kubernetes Service is a PaaS for containers).
Software as a Service (SaaS)
SaaS delivers fully functional software applications over the internet. Microsoft 365 is the flagship SaaS suite. Key characteristics: - Zero infrastructure management: Everything from servers to application code is managed by the provider. - Subscription-based: Monthly or annual per-user licensing. - Multi-tenant architecture: One application instance serves many customers, with data isolation. - Responsibility: Customer manages data, user accounts, and compliance; provider manages availability, security, and updates.
Common exam scenarios: Email (Exchange Online), collaboration (Teams, SharePoint), productivity (Office apps).
Other Service Models
Desktop as a Service (DaaS): Virtual desktops delivered as a service. Azure Virtual Desktop (AVD) is a DaaS offering. The provider manages the VDI infrastructure; you manage the desktop images and user assignments.
Function as a Service (FaaS): Serverless compute where you run individual functions triggered by events. Azure Functions is a FaaS offering. You upload code, and the provider executes it on demand, scaling automatically. You pay only for execution time.
Container as a Service (CaaS): Managed container orchestration. Azure Kubernetes Service (AKS) is CaaS. You manage containers and pods; the provider manages the control plane and worker nodes.
How Service Types Interact with Microsoft 365
Microsoft 365 is predominantly SaaS, but it integrates with Azure services that are IaaS or PaaS: - Azure AD (now Microsoft Entra ID): A PaaS identity service that underpins M365 authentication. - Exchange Online Protection: SaaS email filtering, but advanced threat protection may use Azure functions. - SharePoint Online: SaaS document management, but you can extend it with Azure Logic Apps (PaaS).
Exam questions often present a scenario where you must choose between IaaS, PaaS, or SaaS for a workload. Key decision factors: - Control vs. convenience: More control = more management overhead. - Existing skills: If your team knows OS administration, IaaS may be easier; if they are developers, PaaS suits better. - Compliance: Some regulations require you to control the OS; IaaS is necessary.
Default Values and Timers
While service types themselves don't have timers, specific implementations do: - Azure VM default OS disk: 127 GB (managed disk) - Azure App Service auto-scale: Default cool-down period of 5 minutes between scale operations. - Azure Functions timeout: Default 5 minutes for consumption plan; configurable up to 10 minutes (or unlimited on Premium plan). - Microsoft 365 user license assignment: Typically takes 1-30 minutes to propagate across all services.
Configuration and Verification Commands
For Azure IaaS/PaaS, you can use Azure CLI or PowerShell to verify service type and configuration:
# List all VMs (IaaS)
az vm list --output table
# List App Service plans (PaaS)
az appservice plan list --output table
# Check if a VM is running (IaaS)
az vm show --name MyVM --resource-group MyRG --query "powerState"
# Get Azure Functions (FaaS)
az functionapp list --output tableFor Microsoft 365 SaaS, you can use the Microsoft 365 admin center or PowerShell:
# Get licensed users (SaaS)
Get-MsolUser -All | Where-Object {$_.isLicensed -eq $true}
# Check service health
Get-MsolCompanyInformationHow It Interacts with Related Technologies
Service types are not isolated; they often combine in a single solution: - Hybrid deployment: A company might use Office 365 (SaaS) for email, Azure VMs (IaaS) for legacy apps, and Azure SQL Database (PaaS) for new apps. - Serverless architectures: Use Azure Functions (FaaS) to process events from Office 365 (SaaS) via webhooks. - Virtual desktop: Azure Virtual Desktop (DaaS) runs on Azure VMs (IaaS) but is managed as a service.
Exam trap: A question may describe a scenario where you need to migrate an on-premises app that requires full OS control. The correct answer is IaaS (Azure VM). Candidates often choose PaaS because it's "managed," but PaaS does not give OS access.
Identify workload requirements
Begin by analyzing the application or workload you need to run. Determine the level of control required: Do you need full administrative access to the OS? Do you have custom dependencies that require specific OS patches? What is your team's skill set? Also consider compliance requirements: some regulations mandate that you control the underlying OS. This step determines whether you need IaaS (full control), PaaS (platform only), or SaaS (no control). For example, a legacy .NET app with a custom database driver likely needs IaaS because you must install and configure the driver on the OS.
Evaluate management overhead tolerance
Assess how much time and expertise your organization can dedicate to managing infrastructure. IaaS requires you to patch the OS, install security agents, configure firewalls, and manage backups. PaaS reduces this to application-level management only. SaaS eliminates infrastructure management entirely, leaving only data and user management. A small startup with limited IT staff should prefer SaaS or PaaS to minimize overhead. An enterprise with a dedicated server team may choose IaaS for legacy apps.
Consider scalability and performance needs
Different service types offer different scaling models. IaaS typically requires manual scaling or pre-configured VM scale sets with auto-scaling rules. PaaS often includes built-in auto-scaling (e.g., Azure App Service auto-scales based on CPU or memory thresholds). SaaS scales transparently — the provider handles all capacity. For unpredictable workloads, PaaS or SaaS is better because they scale automatically. For predictable, steady-state workloads, IaaS may be more cost-effective.
Map to cloud service model
Based on the previous steps, map the workload to IaaS, PaaS, or SaaS. For example: lift-and-shift of an on-premises SQL Server → IaaS (Azure VM with SQL Server). New web app using .NET Core → PaaS (Azure App Service). Email and collaboration → SaaS (Microsoft 365). This mapping should align with the shared responsibility model: the more you want the provider to manage, the higher the abstraction level.
Verify with provider documentation
Once you've selected a service type, verify that the specific provider (Azure, Microsoft 365) offers the required features. For Azure, check if the PaaS service supports your runtime stack (e.g., Node.js, Python). For SaaS, check if the licensing model covers all users and features needed. Use Azure pricing calculator or Microsoft 365 licensing documentation to estimate costs. This step prevents costly mismatches, such as choosing PaaS for an app that requires OS-level kernel modifications.
Enterprise Scenario 1: Legacy Application Migration
A large insurance company has a custom claims processing application built on Windows Server 2012 with a SQL Server 2014 backend. The app requires full OS access for security scanning agents and a specific .NET Framework version not supported in Azure App Service. The company decides to migrate using IaaS: they create Azure VMs running Windows Server 2012 R2 and SQL Server 2014. They use Azure Migrate to assess compatibility and Azure Site Recovery for replication. In production, they deploy two VMs in an availability set for high availability. The OS and SQL Server are managed by their server team, who apply monthly patches via Azure Update Management. Performance considerations: they choose D-series VMs (general purpose) with premium SSDs for SQL data files. Common misconfiguration: forgetting to configure network security groups (NSGs) to restrict RDP access, leaving the VMs exposed. They also learned to set up alerts for CPU > 80% to trigger scale-out of additional VMs.
Enterprise Scenario 2: Modern Web Application Development
A retail company builds a new e-commerce platform using Node.js and MongoDB. The development team wants to focus on code, not servers. They choose PaaS: Azure App Service for the web frontend and Azure Cosmos DB (MongoDB API) for the database. They use Azure DevOps for CI/CD, deploying directly to App Service slots for staging and production. Auto-scaling is configured to increase instances from 2 to 10 based on CPU usage. The provider handles OS patching and runtime updates. In production, they monitor performance using Application Insights. A common pitfall: the app fails to handle connection pooling properly when scaling out, causing database connection exhaustion. They fixed it by using Cosmos DB's built-in connection pooling and setting App Service's connection limit appropriately. Cost is controlled by using reserved instances for App Service Premium plans.
Enterprise Scenario 3: Fully Managed Productivity Suite
A global consulting firm with 10,000 employees needs email, collaboration, and document management. They choose Microsoft 365 (SaaS) to eliminate on-premises Exchange and SharePoint servers. The IT team focuses on identity management (Azure AD Connect for hybrid identity), data governance (retention policies, DLP), and user training. They deploy Microsoft Teams for communication and OneDrive for personal file storage. Key challenges: ensuring network bandwidth for Teams video calls (they use QoS policies) and managing compliance with GDPR (they use Microsoft Purview). Misconfiguration example: an admin accidentally set a retention policy to delete all emails older than 30 days, causing data loss. They recovered from backups and implemented role-based access control to limit retention policy changes. The SaaS model allows them to scale globally without managing any servers.
What MS-900 Tests on Cloud Service Types
Objective 1.1: "Describe the different types of cloud services available" — this includes IaaS, PaaS, SaaS, and potentially DaaS and FaaS. The exam expects you to:
Identify the correct service type for a given scenario.
Understand the shared responsibility model and which party manages each layer.
Recognize examples of each service type within Microsoft 365 and Azure.
Differentiate between IaaS, PaaS, and SaaS based on management scope.
Top Wrong Answers and Why Candidates Choose Them
Confusing PaaS with IaaS: A scenario describes needing to install custom software on the OS. Candidates choose PaaS because it's "managed," but PaaS does not allow OS-level access. The correct answer is IaaS. Why they fall: they think "managed" means they don't have to do anything, but PaaS only manages the platform, not the application.
SaaS removes all customer responsibility: A question asks who is responsible for data security in SaaS. Candidates answer "the provider." Wrong — the customer is always responsible for their own data. Why they fall: they assume SaaS is fully managed.
Choosing IaaS for a new web app: Developers often default to IaaS because they're familiar with VMs. But PaaS is more appropriate for modern web apps because it reduces overhead. Why they fall: they overlook PaaS benefits like auto-scaling and managed services.
Thinking all cloud services are SaaS: Some candidates think Microsoft 365 is the only cloud model. They miss that Azure VMs are IaaS and Azure SQL Database is PaaS.
Specific Numbers and Terms That Appear on the Exam
NIST SP 800-145: The standard defining IaaS, PaaS, SaaS.
Shared responsibility model: Know the exact division for each type.
Examples:
- IaaS: Azure Virtual Machines, Azure VNet - PaaS: Azure App Service, Azure SQL Database, Azure Functions (FaaS is a subset of PaaS) - SaaS: Microsoft 365 (Exchange Online, SharePoint Online, Teams), Dynamics 365 - DaaS: Azure Virtual Desktop (formerly Windows Virtual Desktop) - FaaS: Azure Functions
Edge Cases and Exceptions
Azure Functions: It is FaaS but sometimes classified under PaaS. The exam may ask specifically about "serverless" which is FaaS.
Container services: Azure Container Instances (ACI) is PaaS; Azure Kubernetes Service (AKS) is CaaS (often considered PaaS).
Hybrid scenarios: A workload may use both IaaS and PaaS (e.g., VM running a custom service that calls a PaaS database).
Microsoft 365 and Azure: Some services like Azure AD are PaaS but essential for M365. Know that M365 is SaaS, but its underlying identity is PaaS.
How to Eliminate Wrong Answers
If the scenario says "full control over OS" → eliminate PaaS and SaaS.
If the scenario says "developers want to focus on code" → eliminate IaaS.
If the scenario says "no infrastructure management" → choose SaaS.
If the scenario mentions "pay per user per month" → likely SaaS.
If the scenario mentions "virtual machines" → IaaS.
Use the shared responsibility model: ask "Who manages the OS?" If the answer is "customer," it's IaaS; if "provider," it's PaaS or SaaS.
IaaS provides virtualized compute, storage, and networking; customer manages OS and above.
PaaS provides a managed platform for application development; provider manages OS and runtime.
SaaS provides ready-to-use software; customer manages only data and users.
The shared responsibility model: customer always owns data and identities.
Azure Virtual Machines is the primary IaaS offering; Azure App Service is PaaS; Microsoft 365 is SaaS.
FaaS (Azure Functions) is a subset of PaaS for event-driven serverless code.
DaaS (Azure Virtual Desktop) delivers virtual desktops as a managed service.
Choosing the right service type balances control, management overhead, and cost.
These come up on the exam all the time. Here's how to tell them apart.
IaaS
Customer manages OS, applications, and data
Full control over the computing environment
Requires manual scaling or VM scale sets
Best for legacy apps and custom software
Example: Azure Virtual Machines
PaaS
Provider manages OS and runtime; customer manages apps and data
No access to underlying OS
Built-in auto-scaling and load balancing
Best for modern web apps and APIs
Example: Azure App Service
PaaS
Customer develops and deploys applications
Provider manages platform; customer manages app code
Scaling is automatic but configurable
Cost based on resource consumption (compute, storage)
Example: Azure SQL Database
SaaS
Customer uses ready-made software
Provider manages everything except data and users
Scaling is transparent and fully managed
Cost based on per-user subscription
Example: Microsoft 365
Mistake
In SaaS, the provider is responsible for data security.
Correct
The customer is always responsible for their own data, including access controls, data classification, and compliance. The provider secures the infrastructure, but data protection is shared.
Mistake
PaaS gives you full control over the operating system.
Correct
PaaS abstracts the OS; you cannot RDP into the server or install custom OS patches. You only manage your application code and configuration.
Mistake
IaaS is always more expensive than PaaS.
Correct
Cost depends on workload. For steady-state, predictable workloads, IaaS reserved instances can be cheaper than PaaS consumption plans. PaaS can be cheaper for variable workloads due to auto-scaling.
Mistake
Microsoft 365 is only SaaS.
Correct
While M365 is primarily SaaS, it includes PaaS components like Azure AD (identity) and Power Platform (low-code). Some M365 workloads may use Azure IaaS for custom extensions.
Mistake
Serverless means no servers at all.
Correct
Serverless (FaaS) still runs on servers, but the provider manages them. You don't provision or manage servers; you just deploy code. The term 'serverless' refers to the customer's perspective.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IaaS (Infrastructure as a Service) provides virtual machines, storage, and networks that you fully control — you manage the OS, applications, and security. PaaS (Platform as a Service) provides a managed hosting environment for your applications; you only deploy code, and Azure manages the OS, runtime, and scaling. For example, Azure Virtual Machines is IaaS; Azure App Service is PaaS. The key exam distinction: if you need to RDP into the server and install software, it's IaaS.
Microsoft 365 is primarily Software as a Service (SaaS). You subscribe to services like Exchange Online, SharePoint Online, and Teams, and Microsoft manages the infrastructure, platform, and application. However, some components like Azure AD (identity) are PaaS, and you can integrate custom Azure solutions (IaaS/PaaS) with M365. For the exam, classify M365 as SaaS.
In all cloud service models (IaaS, PaaS, SaaS), the customer is always responsible for their own data. This includes data classification, access controls, encryption at rest and in transit (if customer-managed keys), and compliance. The provider secures the physical infrastructure, network, and hypervisor. This is a key point in the shared responsibility model and a common exam trap.
Azure App Service is a prime example of PaaS. You deploy web apps, APIs, or mobile backends without managing the underlying servers. Other PaaS services include Azure SQL Database, Azure Functions (FaaS), and Azure Kubernetes Service (CaaS). The exam may ask you to identify PaaS from a list including Azure VMs (IaaS) and Office 365 (SaaS).
No, PaaS does not provide access to the underlying OS. If your application requires custom OS configurations, specific kernel modules, or the ability to install software that conflicts with the PaaS runtime, you must use IaaS (Azure VM). PaaS is designed for modern applications that are platform-agnostic. This is a frequent exam scenario.
In SaaS, the provider is responsible for the physical infrastructure, network, OS, middleware, and application code. The customer is responsible for their data, user access, device management, and compliance. For example, with Microsoft 365, Microsoft ensures the service is available and secure, but you must configure multi-factor authentication, data loss prevention policies, and user permissions.
FaaS (Function as a Service) is a subset of PaaS focused on event-driven, serverless computing. With FaaS, you deploy individual functions that execute in response to events (e.g., HTTP requests, queue messages). You pay only for execution time. PaaS typically runs a full application continuously. Azure Functions is FaaS; Azure App Service is PaaS. The exam may test this distinction under the 'serverless' concept.
You've just covered Cloud Service Types for MS-900 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?