This chapter covers the three fundamental cloud service models — Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) — as they apply to Microsoft 365 and Azure. Understanding these models is essential for the MS-900 exam, as approximately 15-20% of questions touch on cloud concepts, including service model definitions, shared responsibility, and deployment scenarios. You will learn the precise characteristics of each model, how Microsoft 365 maps to them, and how to identify the correct model in exam scenarios.
Jump to a section
Imagine you are hosting a dinner party. The three cloud service models — IaaS, PaaS, and SaaS — correspond to different levels of service you might choose. With IaaS (Infrastructure as a Service), you rent a fully equipped commercial kitchen. You bring your own ingredients, recipes, and chef. You control everything from the stove temperature to plating, but you don't own the building or appliances. With PaaS (Platform as a Service), you hire a caterer who provides the kitchen, ingredients, and basic recipes. You choose the menu and specify dietary restrictions, but the caterer handles cooking, timing, and cleanup. You don't manage ovens or sourcing. With SaaS (Software as a Service), you order from a restaurant. You simply choose dishes from a menu; the restaurant handles all preparation, ingredients, and serving. You have no control over the kitchen or recipes. The key insight: as you move from IaaS to SaaS, the provider takes on more responsibility, and you lose control but gain simplicity. In Microsoft 365, the services span these models: Azure VMs are IaaS, Azure SQL Database is PaaS, and Exchange Online is SaaS. Understanding who manages what is critical for security, compliance, and cost decisions.
What Are Cloud Service Models?
Cloud service models define the level of abstraction and control between a cloud provider and a customer. They are standardized by NIST SP 800-145 and form a stack: IaaS at the bottom, PaaS in the middle, SaaS at the top. Each model shifts responsibility for different layers of the technology stack from the customer to the provider.
Infrastructure as a Service (IaaS)
IaaS provides on-demand access to virtualized computing resources — virtual machines, storage, networks, and load balancers — over the internet. The provider manages the physical hardware, hypervisor, and network infrastructure. The customer is responsible for everything above: operating system, middleware, runtime, data, and applications.
Key characteristics: - Virtual machines: Customer provisions VMs with specific CPU, memory, and storage. Example: Azure Virtual Machines. - Networking: Customer configures virtual networks (VNets), subnets, firewalls, and load balancers. - Storage: Customer chooses disk types (Standard HDD, Standard SSD, Premium SSD) and manages data redundancy. - Billing: Pay-as-you-go based on resource consumption (compute hours, storage GB, data transfer). - Scalability: Manual or auto-scaling of VM instances.
Common use cases: - Lift-and-shift migration of on-premises applications. - Test and development environments. - Disaster recovery sites. - Big data processing with custom clusters.
Shared responsibility in IaaS: - Provider: Physical security, hardware, networking, virtualization layer. - Customer: OS patches, application configuration, network security groups, data encryption.
Platform as a Service (PaaS)
PaaS provides a managed platform to deploy applications without managing underlying infrastructure. The provider handles the OS, runtime, middleware, and sometimes the database. The customer focuses only on application code and data.
Key characteristics: - Managed runtime: Customer deploys code (e.g., .NET, Java, Node.js) to a platform that auto-scales and load-balances. Example: Azure App Service. - Database as a Service: Managed databases like Azure SQL Database or Cosmos DB. Provider handles backups, patching, replication. - Development tools: Built-in CI/CD, monitoring, and debugging. - Billing: Based on resource consumption (e.g., App Service plan tier, database DTUs/vCores). - Scalability: Automatic scaling based on demand.
Common use cases: - Web applications and APIs. - Mobile backends. - IoT event processing. - Business intelligence and analytics.
Shared responsibility in PaaS: - Provider: Physical security, hardware, networking, OS, runtime, middleware. - Customer: Application code, data, access management, configuration of platform settings.
Software as a Service (SaaS)
SaaS delivers fully functional applications over the internet, managed entirely by the provider. The customer only configures settings and manages users. Microsoft 365 is the prime example of SaaS.
Key characteristics: - Pre-built applications: Email (Exchange Online), collaboration (Teams), productivity (Word, Excel), file storage (OneDrive, SharePoint). - Multi-tenant architecture: Provider manages a single codebase serving many customers, with data isolation. - Subscription billing: Per-user per-month pricing (e.g., Microsoft 365 Business Basic at $6/user/month). - No infrastructure management: Provider handles all updates, patches, backups, and scaling. - Limited customization: Configuration options via admin portals, but no access to underlying code or OS.
Common use cases: - Enterprise communication and collaboration. - Customer relationship management (CRM) like Dynamics 365. - Email and calendaring. - File sharing and storage.
Shared responsibility in SaaS: - Provider: Everything from physical security to application functionality and data security (depending on SLA). - Customer: User accounts, data classification, compliance settings, third-party app integrations.
How Microsoft 365 Implements SaaS
Microsoft 365 is primarily a SaaS offering. The core services — Exchange Online, SharePoint Online, Teams, OneDrive for Business — are all multi-tenant SaaS applications. Microsoft manages the infrastructure, platform, and application. Customers manage:
User identities and licenses.
Security policies (conditional access, MFA).
Data governance (retention labels, DLP policies).
Service settings (e.g., mailbox quotas, sharing settings).
However, Microsoft 365 also includes some PaaS and IaaS elements: - Azure Active Directory (now Microsoft Entra ID) is a PaaS identity service. - Power Platform (Power Apps, Power Automate) is a PaaS for low-code development. - Azure Virtual Desktop (part of Microsoft 365 subscriptions) is an IaaS-like service for virtual desktops.
Comparing the Models
| Aspect | IaaS | PaaS | SaaS | |--------|------|------|------| | What you manage | OS, middleware, runtime, data, apps | Apps, data | Users, settings | | Provider manages | Hardware, virtualization, networking | Hardware, OS, runtime, middleware | Everything else | | Example in Microsoft ecosystem | Azure VM | Azure App Service | Exchange Online | | Control | High | Medium | Low | | Flexibility | High | Medium | Low | | Management overhead | High | Medium | Low |
Shared Responsibility Model Deep Dive
The shared responsibility model is a key exam topic. It illustrates that security and management duties are distributed between provider and customer, varying by service model.
Always the customer's responsibility: - Data classification and governance. - Client-side encryption. - Identity and access management (IAM). - Compliance with regulations.
Always the provider's responsibility: - Physical security of datacenters. - Hardware and network infrastructure. - Hypervisor security (in IaaS). - Service availability (per SLA).
Variable responsibilities: - OS patching: Customer in IaaS, provider in PaaS and SaaS. - Application security: Customer in IaaS and PaaS, provider in SaaS. - Network controls: Customer in IaaS, shared in PaaS, provider in SaaS.
Exam Relevance
The MS-900 exam tests your ability to:
Identify which service model a given Microsoft service belongs to.
Understand the shared responsibility model for each model.
Recognize the benefits and limitations of each model.
Differentiate between on-premises, cloud, and hybrid deployments.
Common exam scenarios:
A company wants to migrate email to the cloud — which model? (SaaS)
A developer needs a platform to run custom code without managing servers — which model? (PaaS)
A company needs full control over a legacy application's OS — which model? (IaaS)
Key Numbers and Defaults
IaaS billing: Azure VM prices vary by series (B-series, D-series, etc.) and are billed per second.
PaaS: Azure SQL Database DTU tiers: Basic (5 DTU), Standard (10-3000 DTU), Premium (125-4000 DTU).
SaaS: Microsoft 365 Business Basic: $6/user/month; Business Standard: $12.50/user/month; Enterprise E3: $36/user/month.
SLA: Azure IaaS and PaaS typically offer 99.9% to 99.99% uptime SLAs; Microsoft 365 SaaS offers 99.9% uptime for core services.
Configuration and Verification
While MS-900 does not require hands-on configuration, understanding how to verify service models is useful.
- Azure portal: Resource types indicate model — "Virtual machines" = IaaS, "App Service" = PaaS.
- Microsoft 365 admin center: Services listed (Exchange, SharePoint) are SaaS.
- PowerShell: Get-AzureRMVM for IaaS, Get-AzureRMWebApp for PaaS.
Interaction with Related Technologies
Hybrid deployments: Combine on-premises with cloud services. Example: Exchange hybrid (on-prem + Exchange Online SaaS).
Azure Arc: Extends management to on-premises and multi-cloud, enabling IaaS-like control.
Microsoft 365 and Azure AD: Identity as a Service (IDaaS) is a subset of PaaS.
Power Platform: Low-code PaaS that integrates with Microsoft 365 SaaS data.
Identify Business Requirements
The first step in choosing a cloud service model is to assess the organization's needs. Determine the level of control required over the operating system, middleware, and runtime. If the application is a standard productivity suite like email, SaaS (e.g., Exchange Online) is suitable. For custom applications, PaaS (e.g., Azure App Service) provides a managed runtime. For legacy apps needing full OS access, IaaS (e.g., Azure VM) is necessary. Also consider compliance, scalability, and cost. The MS-900 exam tests the ability to map requirements to the correct model.
Evaluate Shared Responsibility
Map out which party manages each layer of the technology stack. In IaaS, the customer manages the OS, applications, and data; the provider manages hardware and virtualization. In PaaS, the provider manages the OS and runtime; the customer manages applications and data. In SaaS, the provider manages everything except user accounts and data. The exam often presents scenarios where a customer must choose a model based on who manages security patches or backups. Remember: the customer always manages data and identities.
Select the Service Model
Based on requirements and responsibility, choose IaaS, PaaS, or SaaS. For example, a company that wants to avoid server maintenance but needs custom business logic should choose PaaS. A startup needing quick email setup with no infrastructure management should choose SaaS (Microsoft 365). The exam may ask to identify which model a specific Azure service belongs to: Azure VMs = IaaS, Azure SQL Database = PaaS, Office 365 = SaaS.
Configure the Service
Once the model is chosen, configure it via the appropriate portal. For IaaS: provision VMs, configure networking, install software. For PaaS: deploy code, configure scaling rules, set up database connections. For SaaS: assign licenses, configure security policies, set up user accounts. The exam does not test detailed configuration but expects knowledge of management interfaces (Azure portal, Microsoft 365 admin center).
Monitor and Manage
After deployment, monitor performance, security, and costs. In IaaS, use Azure Monitor for VM metrics. In PaaS, use Application Insights for app performance. In SaaS, use the Microsoft 365 admin center for usage reports and service health. The exam may ask about tools like Azure Monitor or Microsoft 365 Defender for managing different models.
Enterprise Scenario 1: Lift-and-Shift Migration with IaaS
A large financial services company runs a legacy .NET application on Windows Server 2012 R2 in their on-premises datacenter. The application requires a specific version of IIS and a custom registry setting that is incompatible with PaaS offerings like Azure App Service. They choose IaaS: they create Azure VMs using the Windows Server 2012 R2 image, configure a virtual network with subnets, and attach a load balancer. They install the application manually and configure network security groups (NSGs) to allow only required ports. The migration takes two months. Post-migration, they face patching overhead: they must manually apply Windows updates and monitor VM health. The cost is predictable but higher than PaaS due to reserved instances. Common misconfiguration: leaving RDP open to the internet, leading to brute-force attacks. They mitigate this with Azure Bastion or just-in-time VM access.
Enterprise Scenario 2: Custom Web App with PaaS
A retail company builds a new e-commerce website using ASP.NET Core. They have a small DevOps team and want to focus on code, not servers. They choose Azure App Service (PaaS). They deploy via GitHub Actions, set up auto-scaling based on CPU usage (scale out when CPU > 70% for 10 minutes), and configure a staging slot for testing. The database is Azure SQL Database (PaaS) with geo-replication for disaster recovery. The team uses Application Insights to monitor performance. They pay for the App Service plan (Standard tier, 3 instances) and database DTUs. The benefit: no OS patching, automatic SSL certificate management, and built-in load balancing. Pitfall: if the application uses file system storage, it may be lost during scaling events; they must use Azure Blob Storage instead.
Enterprise Scenario 3: Full SaaS Adoption with Microsoft 365
A non-profit organization with 500 employees decides to move from on-premises Exchange and file servers to Microsoft 365 Business Basic. They purchase licenses, configure custom domains for email, and set up Teams for collaboration. They use the Microsoft 365 admin center to manage users, apply conditional access policies requiring MFA, and enable data loss prevention (DLP) for sensitive information. They use SharePoint Online for document management and OneDrive for Business for personal storage. The IT team's workload shifts from server maintenance to user management and policy configuration. They save on hardware costs and gain built-in disaster recovery. The challenge: ensuring compliance with GDPR and managing third-party app permissions. They use Microsoft 365 Defender to monitor suspicious activity. Common mistake: not configuring retention policies, leading to data loss when employees leave.
MS-900 Objective 1.2: Describe cloud service types
This objective covers IaaS, PaaS, and SaaS. The exam expects you to:
Define each model.
Identify which model a given Microsoft service belongs to.
Understand the shared responsibility model for each.
Recognize scenarios where each model is appropriate.
Most Common Wrong Answers and Why
"SaaS provides the most control." — Wrong. SaaS provides the least control; the provider manages everything. Candidates confuse control with convenience.
"IaaS is always the cheapest." — Wrong. IaaS can be more expensive due to management overhead and unused resources. PaaS and SaaS can be cheaper for standardized workloads.
"PaaS is the same as SaaS." — Wrong. PaaS gives you control over applications; SaaS gives you none. They differ in the level of abstraction.
"In IaaS, the provider patches the OS." — Wrong. In IaaS, the customer patches the OS. The provider patches only the hypervisor.
Specific Numbers and Terms
NIST SP 800-145: The standard defining cloud service models.
Shared responsibility model: Know the diagram: customer manages data and identities in all models.
Azure services: Azure VM = IaaS, Azure App Service = PaaS, Office 365 = SaaS.
Microsoft 365 Business plans: Basic ($6/user/mo), Standard ($12.50), Premium ($22).
SLAs: 99.9% uptime for most Microsoft 365 services.
Edge Cases
Hybrid scenarios: A company using Exchange Online (SaaS) with on-premises Active Directory is still using SaaS for email, but identity is hybrid.
Containers: Azure Container Instances are often considered PaaS (managed containers) but can be IaaS if you manage the host.
Azure Functions: Serverless compute is a subset of PaaS.
How to Eliminate Wrong Answers
If the question mentions "full control over OS", the answer is IaaS.
If the question mentions "deploy custom code without managing servers", the answer is PaaS.
If the question mentions "pre-built application like email", the answer is SaaS.
If the question mentions "who manages patching", recall the shared responsibility model.
IaaS provides virtualized infrastructure; customer manages OS and applications.
PaaS provides managed platform for custom applications; provider manages runtime.
SaaS provides ready-to-use applications; provider manages everything except user data.
Shared responsibility: customer always manages data and identities.
Microsoft 365 is primarily SaaS, but includes PaaS (Azure AD) and IaaS (Azure Virtual Desktop) elements.
Exam tip: If the question mentions 'full control over OS', choose IaaS; 'deploy code without managing servers' = PaaS; 'pre-built application' = SaaS.
NIST SP 800-145 defines the three service models.
These come up on the exam all the time. Here's how to tell them apart.
IaaS
Customer manages OS, middleware, runtime, data, and applications.
Provider manages physical hardware, networking, and virtualization.
Example: Azure Virtual Machines.
High control and flexibility.
High management overhead; customer responsible for patching and security.
PaaS
Customer manages only applications and data.
Provider manages OS, runtime, middleware, and infrastructure.
Example: Azure App Service.
Medium control; provider handles runtime and scaling.
Lower management overhead; provider patches OS and runtime.
Mistake
SaaS means the customer has no security responsibilities.
Correct
The customer is always responsible for data security, identity management, and compliance. The provider secures the infrastructure and application, but the customer must configure security settings like MFA and DLP.
Mistake
IaaS is always cheaper than PaaS because you only pay for what you use.
Correct
IaaS can be more expensive due to management overhead, unused capacity, and the need for additional services (e.g., patching, monitoring). PaaS often reduces total cost of ownership for standardized workloads.
Mistake
PaaS is only for web applications.
Correct
PaaS supports a wide range of workloads including web apps, APIs, mobile backends, IoT processing, and data analytics. Azure SQL Database and Azure Cosmos DB are PaaS database services.
Mistake
Microsoft 365 is purely SaaS.
Correct
While Microsoft 365 is primarily SaaS, it includes PaaS components like Azure AD (identity) and Power Platform (low-code development). Some subscriptions also include Azure Virtual Desktop (IaaS-like).
Mistake
In IaaS, the provider manages the operating system.
Correct
In IaaS, the customer manages the OS, including patching and configuration. The provider manages only the physical hardware and hypervisor.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IaaS provides virtualized infrastructure (VMs, storage, networks) where you manage the OS and applications. PaaS provides a managed platform to deploy applications without managing the underlying infrastructure. SaaS provides fully managed applications you access via a browser. The key difference is the level of control and responsibility: IaaS gives you the most control but also the most management overhead; SaaS gives you the least control but the least overhead.
Microsoft 365 is primarily SaaS: Exchange Online, SharePoint Online, Teams, OneDrive for Business. Azure Active Directory (Microsoft Entra ID) is a PaaS identity service. Power Platform (Power Apps, Power Automate) is also PaaS. Azure Virtual Desktop, available with some Microsoft 365 subscriptions, is IaaS-like because you manage the virtual desktops (OS, applications).
The shared responsibility model defines which security and management tasks are handled by the cloud provider and which by the customer. In all models, the customer is always responsible for data, identities, and compliance. The provider is always responsible for physical security and infrastructure. In IaaS, the customer manages the OS and applications; in PaaS, the provider manages the OS and runtime; in SaaS, the provider manages everything except user accounts and data.
Consider the level of control you need. If you need full control over the OS and application (e.g., legacy app), choose IaaS. If you want to focus on code without managing servers, choose PaaS. If you need a standard application like email or collaboration, choose SaaS. Also consider cost, compliance, and team expertise.
Azure SQL Database is a PaaS service. Microsoft manages the database server, including patching, backups, and replication. You only manage the database schema, data, and access. It is not IaaS because you do not have access to the underlying OS or RDP into the server.
Yes, many solutions use a mix. For example, you might run a custom application on an Azure VM (IaaS) that connects to an Azure SQL Database (PaaS). This is common in hybrid architectures where some components require full control and others benefit from managed services.
IaaS costs are based on resource consumption (VM hours, storage, data transfer). PaaS costs are based on platform usage (e.g., App Service plan tier, database DTUs). SaaS costs are typically per-user per-month subscriptions. IaaS can be more expensive due to management overhead and unused resources; PaaS and SaaS often reduce costs for standardized workloads.
You've just covered SaaS, PaaS, IaaS in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?