- A
Managing physical network infrastructure
Why wrong: Physical network infrastructure is always the cloud provider's responsibility.
- B
Patching the underlying hypervisor
Why wrong: The cloud provider manages hypervisor patching across all service models.
- C
Managing data and access identities
Customers always retain responsibility for their data and identity/access management regardless of service type.
- D
Maintaining operating system patches
Why wrong: OS patching responsibility shifts to the provider in PaaS and SaaS models.
Quick Answer
The answer is managing data and access identities, as this responsibility always remains with the customer under the shared responsibility model, no matter if you are using IaaS, PaaS, or SaaS. This is because the cloud provider cannot control who accesses your data, how it is classified, or how it is encrypted at rest and in transit; these are inherently tied to your own security policies and user management. On the Microsoft Azure Fundamentals AZ-900 exam, this concept tests your understanding of the non-negotiable boundary between provider and customer duties, often appearing as a trick question where a SaaS option might imply the provider handles everything. A common trap is assuming the provider secures your data in SaaS, but the customer must still configure identity and access management (IAM) and encryption keys. Remember the mnemonic: “Data and identities are always your duties.”
AZ-900 Describe cloud concepts Practice Question
This AZ-900 practice question tests your understanding of describe cloud concepts. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
In the shared responsibility model for cloud computing, which responsibility always remains with the customer regardless of the cloud service type?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"always"Why it matters: Absolute qualifier. An answer using 'always' is only correct if there are genuinely no exceptions — absolute statements are often wrong in networking.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Managing data and access identities
Under the shared responsibility model, the customer is always responsible for managing data and access identities, regardless of whether the service is IaaS, PaaS, or SaaS. This includes classifying data, encrypting data at rest and in transit, and configuring identity and access management (IAM) policies. Even in SaaS, where the provider manages the application, the customer must control who has access and how data is protected.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Managing physical network infrastructure
Why it's wrong here
Physical network infrastructure is always the cloud provider's responsibility.
- ✗
Patching the underlying hypervisor
Why it's wrong here
The cloud provider manages hypervisor patching across all service models.
- ✓
Managing data and access identities
Why this is correct
Customers always retain responsibility for their data and identity/access management regardless of service type.
Clue confirmation
The clue word "always" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Maintaining operating system patches
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates confuse 'patching the OS' (which shifts to the provider in PaaS/SaaS) with 'managing data and access identities' (which is always the customer's responsibility), leading them to incorrectly select Option D as the answer.
Detailed technical explanation
How to think about this question
The shared responsibility model is defined by the Cloud Security Alliance (CSA) and aligns with the NIST SP 800-145 cloud definition. For data and access identities, the customer retains control over data classification, encryption key management (e.g., using AWS KMS or Azure Key Vault), and identity federation via protocols like SAML 2.0 or OAuth 2.0. A real-world scenario: even in a SaaS application like Office 365, the customer must configure Azure AD Conditional Access policies and MFA to protect against unauthorized access, as the provider cannot enforce customer-specific identity rules.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Describe cloud concepts — study guide chapter
Learn the concepts, then practise the questions
- →
Describe cloud concepts practice questions
Targeted practice on this topic area only
- →
All AZ-900 questions
1,031 questions across all exam domains
- →
Microsoft Azure Fundamentals AZ-900 study guide
Full concept coverage aligned to exam objectives
- →
AZ-900 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-900 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Describe cloud concepts practice questions
Practise AZ-900 questions linked to Describe cloud concepts.
Describe Azure architecture and services practice questions
Practise AZ-900 questions linked to Describe Azure architecture and services.
Describe Azure management and governance practice questions
Practise AZ-900 questions linked to Describe Azure management and governance.
AZ-900 Azure services practice questions
Practise AZ-900 questions linked to AZ-900 Azure services.
AZ-900 pricing and support practice questions
Practise AZ-900 questions linked to AZ-900 pricing and support.
AZ-900 security and compliance practice questions
Practise AZ-900 questions linked to AZ-900 security and compliance.
AZ-900 governance practice questions
Practise AZ-900 questions linked to AZ-900 governance.
Practice this exam
Start a free AZ-900 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-900 question test?
Describe cloud concepts — This question tests Describe cloud concepts — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Managing data and access identities — Under the shared responsibility model, the customer is always responsible for managing data and access identities, regardless of whether the service is IaaS, PaaS, or SaaS. This includes classifying data, encrypting data at rest and in transit, and configuring identity and access management (IAM) policies. Even in SaaS, where the provider manages the application, the customer must control who has access and how data is protected.
What should I do if I get this AZ-900 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "always". Absolute qualifier. An answer using 'always' is only correct if there are genuinely no exceptions — absolute statements are often wrong in networking.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
3 more ways this is tested on AZ-900
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company is migrating a custom line-of-business application to Azure. The application handles sensitive customer data. The IT team is evaluating whether to deploy the application on Azure Virtual Machines (IaaS) or Azure App Service (PaaS). They want to understand the division of security responsibilities between Microsoft and the customer under the shared responsibility model. Which responsibility remains the customer's obligation regardless of whether they choose IaaS, PaaS, or SaaS?
medium- A.Applying operating system security patches and updates to virtual machines
- B.Managing the physical server hardware, network switches, and datacenter cooling
- C.Configuring and maintaining the application-level network load balancer for high availability
- ✓ D.Managing user access to the application data and ensuring data classification policies are enforced
Why D: Under the shared responsibility model, the customer is always responsible for managing access to data and enforcing data classification policies, regardless of whether the workload runs on IaaS, PaaS, or SaaS. This is because data ownership and the associated governance obligations (such as who can read, write, or modify sensitive customer data) remain with the customer. Microsoft secures the underlying infrastructure, but the customer must control who accesses the application data and how it is classified.
Variation 2. A company plans to migrate a line-of-business application to Azure. The application will run on a virtual machine (IaaS). The company wants to ensure that the operating system is kept up to date with security patches. According to the shared responsibility model, who is primarily responsible for applying these patches?
medium- A.Microsoft, because they manage all operating system updates in Azure.
- ✓ B.The customer, because the customer manages the guest operating system and is responsible for patching it.
- C.Both Microsoft and the customer share responsibility equally for operating system patching.
- D.The cloud service provider, as a general rule for all services in Azure.
Why B: In the shared responsibility model for IaaS, the customer retains control over the guest operating system, including applying security patches. Microsoft manages the physical host and hypervisor but does not patch the OS running inside the VM. Therefore, the customer is primarily responsible for keeping the OS up to date.
Variation 3. A retail company is planning to migrate its e-commerce application to Azure. The application will run on an Azure virtual machine that the company will manage. The IT manager wants to ensure that security patches are applied promptly. According to the shared responsibility model, who is responsible for applying security updates to the guest operating system of the Azure virtual machine?
medium- A.Microsoft, because they manage the hypervisor under the virtual machine.
- ✓ B.The customer, because the guest operating system is under the customer's control.
- C.Both Microsoft and the customer share responsibility equally for patching the guest operating system.
- D.The customer, but only if they have configured Azure Policy to enforce patch compliance.
Why B: In the shared responsibility model, the customer is responsible for securing and patching the guest operating system (OS) of an Azure virtual machine because the customer retains control over the OS, applications, and data. Microsoft manages the underlying hypervisor and physical infrastructure but does not have access to the guest OS. Therefore, the customer must apply security updates to the guest OS.
Keep practising
More AZ-900 practice questions
- A company uses Azure and wants to organize all their virtual machines, databases, and storage accounts into logical cont…
- A company uses multiple Azure subscriptions for different departments. The finance team wants to monitor spending across…
- A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is…
- A company uses Azure Blueprints to define a repeatable set of Azure resources and policies for new subscriptions. They w…
- A company uses Azure Policy to enforce governance. They want to prevent users from creating virtual machines of the Stan…
- A company wants to ensure that all Azure resources are tagged with metadata such as 'Environment' and 'Department'. They…
Last reviewed: Jun 11, 2026
This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.