Question 422 of 1,031
Describe cloud conceptsmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is the company, because under the shared responsibility model for PaaS, data encryption in memory falls squarely on the customer. While Microsoft secures the physical infrastructure, hypervisor, and Azure App Service runtime, it cannot access or manage the application’s memory space—encrypting data in memory requires code-level implementation, such as using .NET’s `ProtectedMemory` or Windows DPAPI, which only the customer can control. On the AZ-900 exam, this question tests your understanding of the boundary between “security of the platform” (Microsoft) and “security in the platform” (you). A common trap is assuming PaaS means Microsoft handles all encryption, but remember: encryption at rest and in transit often involves shared responsibility, whereas encryption in memory is always the customer’s domain. Memory tip: “Memory is your code’s private room—Microsoft holds the building keys, but you lock the closet.”

AZ-900 Describe cloud concepts Practice Question

This AZ-900 practice question tests your understanding of describe cloud concepts. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company migrates its web application to Azure App Service (Platform as a Service). The application processes sensitive customer data and must ensure that all data in memory is encrypted while the application is running. According to the shared responsibility model, which party is responsible for implementing encryption of data in memory for this application?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The company, because it is responsible for securing its own application data and code.

In the shared responsibility model for PaaS like Azure App Service, Microsoft secures the physical host, OS, and platform runtime, but the customer retains responsibility for securing application-level data, including data in memory. Encrypting data in memory requires application code changes (e.g., using .NET's `ProtectedMemory` or Windows DPAPI), which is solely the customer's responsibility because Microsoft cannot access or manage the application's runtime memory contents.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Microsoft Azure, because it provides the hosting infrastructure and manages the runtime environment.

    Why it's wrong here

    Microsoft Azure is responsible for the security of the underlying infrastructure, such as the physical hosts and network. However, data in memory is part of the application data plane, which is the customer's responsibility even in a PaaS environment. Azure does not control or encrypt application-level data in memory.

  • The company, because it is responsible for securing its own application data and code.

    Why this is correct

    Under the shared responsibility model, the customer always retains responsibility for the security of their data and applications, including data in memory. In a PaaS model, the customer manages the application and data, while the provider manages the underlying platform. Therefore, the company must implement encryption of data in memory within the application.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Both Microsoft and the company share this responsibility equally.

    Why it's wrong here

    While responsibilities are shared, data security (including data in memory) is exclusively the customer's domain. Microsoft does not access or control application memory. The customer is solely responsible for implementing encryption of data in memory. There is no shared responsibility for this specific task.

  • A third-party encryption service that is automatically enabled for all Azure App Service deployments.

    Why it's wrong here

    Azure does not automatically enable encryption of data in memory for App Service. The customer must use their own encryption libraries or third-party solutions within the application code. No automatic service covers this requirement.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume PaaS means Microsoft handles all security, but the shared responsibility model clearly delineates that data security at the application layer—including in-memory encryption—remains the customer's obligation.

Detailed technical explanation

How to think about this question

In-memory encryption typically involves using operating system APIs like Windows Data Protection API (DPAPI) or .NET's `System.Security.Cryptography.ProtectedMemory` class, which encrypts data using a machine-derived key. In a PaaS environment, the application runs in a sandboxed worker process, and Microsoft cannot access the process's private virtual address space, making customer-side implementation mandatory. A real-world scenario is a healthcare app handling PHI under HIPAA, where the customer must ensure memory buffers are encrypted to prevent exposure during a memory dump or side-channel attack.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-900 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-900 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-900 question test?

Describe cloud concepts — This question tests Describe cloud concepts — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The company, because it is responsible for securing its own application data and code. — In the shared responsibility model for PaaS like Azure App Service, Microsoft secures the physical host, OS, and platform runtime, but the customer retains responsibility for securing application-level data, including data in memory. Encrypting data in memory requires application code changes (e.g., using .NET's `ProtectedMemory` or Windows DPAPI), which is solely the customer's responsibility because Microsoft cannot access or manage the application's runtime memory contents.

What should I do if I get this AZ-900 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on AZ-900

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company migrates its web application to Azure App Service (PaaS) and its data to Azure SQL Database (PaaS). The company wants to understand which security responsibilities it retains after the migration. According to the shared responsibility model, which of the following responsibilities remains the responsibility of the company (customer) when using these PaaS services?

medium
  • A.Patching the operating system of the web server
  • B.Managing network security groups for the virtual network
  • C.Managing user access to the application and database
  • D.Physical security of the Azure data center

Why C: In the shared responsibility model for PaaS, the cloud provider manages the underlying infrastructure, including the OS and network security groups, while the customer retains responsibility for managing access to their application and data. For Azure App Service and Azure SQL Database, this means the customer must configure authentication, authorization, and user permissions (e.g., using Azure Active Directory or SQL logins) to control who can access the application and database.

Variation 2. A company is migrating a web application to Azure. The web tier will run on Azure App Service (PaaS) and the database tier will use Azure SQL Database (PaaS). The company's IT team wants to understand their patching responsibilities for the underlying operating system (OS) of each service. According to the shared responsibility model, which statement is correct?

medium
  • A.The customer is responsible for patching the operating system of both Azure App Service and Azure SQL Database.
  • B.Microsoft is responsible for patching the operating system of Azure App Service, and the customer is responsible for patching the operating system of Azure SQL Database.
  • C.The customer is responsible for patching the operating system of Azure App Service, and Microsoft is responsible for patching the operating system of Azure SQL Database.
  • D.Microsoft is responsible for patching the operating system of both Azure App Service and Azure SQL Database.

Why D: In the shared responsibility model, Microsoft manages the underlying infrastructure for Platform as a Service (PaaS) services. Both Azure App Service and Azure SQL Database are PaaS offerings, meaning Microsoft handles OS patching, updates, and security for the host OS. The customer is responsible only for their application code and data, not the OS. Therefore, option D is correct.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.