Question 214 of 1,031
Describe cloud conceptseasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is managing data and access identities, as this responsibility always remains with the customer under the shared responsibility model, no matter if you are using IaaS, PaaS, or SaaS. This is because the cloud provider cannot control who accesses your data, how it is classified, or how it is encrypted at rest and in transit; these are inherently tied to your own security policies and user management. On the Microsoft Azure Fundamentals AZ-900 exam, this concept tests your understanding of the non-negotiable boundary between provider and customer duties, often appearing as a trick question where a SaaS option might imply the provider handles everything. A common trap is assuming the provider secures your data in SaaS, but the customer must still configure identity and access management (IAM) and encryption keys. Remember the mnemonic: “Data and identities are always your duties.”

AZ-900 Describe cloud concepts Practice Question

This AZ-900 practice question tests your understanding of describe cloud concepts. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

In the shared responsibility model for cloud computing, which responsibility always remains with the customer regardless of the cloud service type?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "always"

    Why it matters: Absolute qualifier. An answer using 'always' is only correct if there are genuinely no exceptions — absolute statements are often wrong in networking.

Question 1easymultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Managing data and access identities

Under the shared responsibility model, the customer is always responsible for managing data and access identities, regardless of whether the service is IaaS, PaaS, or SaaS. This includes classifying data, encrypting data at rest and in transit, and configuring identity and access management (IAM) policies. Even in SaaS, where the provider manages the application, the customer must control who has access and how data is protected.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Managing physical network infrastructure

    Why it's wrong here

    Physical network infrastructure is always the cloud provider's responsibility.

  • Patching the underlying hypervisor

    Why it's wrong here

    The cloud provider manages hypervisor patching across all service models.

  • Managing data and access identities

    Why this is correct

    Customers always retain responsibility for their data and identity/access management regardless of service type.

    Clue confirmation

    The clue word "always" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Maintaining operating system patches

    Why it's wrong here

    OS patching responsibility shifts to the provider in PaaS and SaaS models.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse 'patching the OS' (which shifts to the provider in PaaS/SaaS) with 'managing data and access identities' (which is always the customer's responsibility), leading them to incorrectly select Option D as the answer.

Detailed technical explanation

How to think about this question

The shared responsibility model is defined by the Cloud Security Alliance (CSA) and aligns with the NIST SP 800-145 cloud definition. For data and access identities, the customer retains control over data classification, encryption key management (e.g., using AWS KMS or Azure Key Vault), and identity federation via protocols like SAML 2.0 or OAuth 2.0. A real-world scenario: even in a SaaS application like Office 365, the customer must configure Azure AD Conditional Access policies and MFA to protect against unauthorized access, as the provider cannot enforce customer-specific identity rules.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-900 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-900 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-900 question test?

Describe cloud concepts — This question tests Describe cloud concepts — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Managing data and access identities — Under the shared responsibility model, the customer is always responsible for managing data and access identities, regardless of whether the service is IaaS, PaaS, or SaaS. This includes classifying data, encrypting data at rest and in transit, and configuring identity and access management (IAM) policies. Even in SaaS, where the provider manages the application, the customer must control who has access and how data is protected.

What should I do if I get this AZ-900 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "always". Absolute qualifier. An answer using 'always' is only correct if there are genuinely no exceptions — absolute statements are often wrong in networking.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

3 more ways this is tested on AZ-900

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company is migrating a custom line-of-business application to Azure. The application handles sensitive customer data. The IT team is evaluating whether to deploy the application on Azure Virtual Machines (IaaS) or Azure App Service (PaaS). They want to understand the division of security responsibilities between Microsoft and the customer under the shared responsibility model. Which responsibility remains the customer's obligation regardless of whether they choose IaaS, PaaS, or SaaS?

medium
  • A.Applying operating system security patches and updates to virtual machines
  • B.Managing the physical server hardware, network switches, and datacenter cooling
  • C.Configuring and maintaining the application-level network load balancer for high availability
  • D.Managing user access to the application data and ensuring data classification policies are enforced

Why D: Under the shared responsibility model, the customer is always responsible for managing access to data and enforcing data classification policies, regardless of whether the workload runs on IaaS, PaaS, or SaaS. This is because data ownership and the associated governance obligations (such as who can read, write, or modify sensitive customer data) remain with the customer. Microsoft secures the underlying infrastructure, but the customer must control who accesses the application data and how it is classified.

Variation 2. A company plans to migrate a line-of-business application to Azure. The application will run on a virtual machine (IaaS). The company wants to ensure that the operating system is kept up to date with security patches. According to the shared responsibility model, who is primarily responsible for applying these patches?

medium
  • A.Microsoft, because they manage all operating system updates in Azure.
  • B.The customer, because the customer manages the guest operating system and is responsible for patching it.
  • C.Both Microsoft and the customer share responsibility equally for operating system patching.
  • D.The cloud service provider, as a general rule for all services in Azure.

Why B: In the shared responsibility model for IaaS, the customer retains control over the guest operating system, including applying security patches. Microsoft manages the physical host and hypervisor but does not patch the OS running inside the VM. Therefore, the customer is primarily responsible for keeping the OS up to date.

Variation 3. A retail company is planning to migrate its e-commerce application to Azure. The application will run on an Azure virtual machine that the company will manage. The IT manager wants to ensure that security patches are applied promptly. According to the shared responsibility model, who is responsible for applying security updates to the guest operating system of the Azure virtual machine?

medium
  • A.Microsoft, because they manage the hypervisor under the virtual machine.
  • B.The customer, because the guest operating system is under the customer's control.
  • C.Both Microsoft and the customer share responsibility equally for patching the guest operating system.
  • D.The customer, but only if they have configured Azure Policy to enforce patch compliance.

Why B: In the shared responsibility model, the customer is responsible for securing and patching the guest operating system (OS) of an Azure virtual machine because the customer retains control over the OS, applications, and data. Microsoft manages the underlying hypervisor and physical infrastructure but does not have access to the guest OS. Therefore, the customer must apply security updates to the guest OS.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.