- A
Microsoft Azure, because it provides the hosting infrastructure and manages the runtime environment.
Why wrong: Microsoft Azure is responsible for the security of the underlying infrastructure, such as the physical hosts and network. However, data in memory is part of the application data plane, which is the customer's responsibility even in a PaaS environment. Azure does not control or encrypt application-level data in memory.
- B
The company, because it is responsible for securing its own application data and code.
Under the shared responsibility model, the customer always retains responsibility for the security of their data and applications, including data in memory. In a PaaS model, the customer manages the application and data, while the provider manages the underlying platform. Therefore, the company must implement encryption of data in memory within the application.
- C
Both Microsoft and the company share this responsibility equally.
Why wrong: While responsibilities are shared, data security (including data in memory) is exclusively the customer's domain. Microsoft does not access or control application memory. The customer is solely responsible for implementing encryption of data in memory. There is no shared responsibility for this specific task.
- D
A third-party encryption service that is automatically enabled for all Azure App Service deployments.
Why wrong: Azure does not automatically enable encryption of data in memory for App Service. The customer must use their own encryption libraries or third-party solutions within the application code. No automatic service covers this requirement.
Quick Answer
The answer is the company, because under the shared responsibility model for PaaS, data encryption in memory falls squarely on the customer. While Microsoft secures the physical infrastructure, hypervisor, and Azure App Service runtime, it cannot access or manage the application’s memory space—encrypting data in memory requires code-level implementation, such as using .NET’s `ProtectedMemory` or Windows DPAPI, which only the customer can control. On the AZ-900 exam, this question tests your understanding of the boundary between “security of the platform” (Microsoft) and “security in the platform” (you). A common trap is assuming PaaS means Microsoft handles all encryption, but remember: encryption at rest and in transit often involves shared responsibility, whereas encryption in memory is always the customer’s domain. Memory tip: “Memory is your code’s private room—Microsoft holds the building keys, but you lock the closet.”
AZ-900 Describe cloud concepts Practice Question
This AZ-900 practice question tests your understanding of describe cloud concepts. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company migrates its web application to Azure App Service (Platform as a Service). The application processes sensitive customer data and must ensure that all data in memory is encrypted while the application is running. According to the shared responsibility model, which party is responsible for implementing encryption of data in memory for this application?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The company, because it is responsible for securing its own application data and code.
In the shared responsibility model for PaaS like Azure App Service, Microsoft secures the physical host, OS, and platform runtime, but the customer retains responsibility for securing application-level data, including data in memory. Encrypting data in memory requires application code changes (e.g., using .NET's `ProtectedMemory` or Windows DPAPI), which is solely the customer's responsibility because Microsoft cannot access or manage the application's runtime memory contents.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Microsoft Azure, because it provides the hosting infrastructure and manages the runtime environment.
Why it's wrong here
Microsoft Azure is responsible for the security of the underlying infrastructure, such as the physical hosts and network. However, data in memory is part of the application data plane, which is the customer's responsibility even in a PaaS environment. Azure does not control or encrypt application-level data in memory.
- ✓
The company, because it is responsible for securing its own application data and code.
Why this is correct
Under the shared responsibility model, the customer always retains responsibility for the security of their data and applications, including data in memory. In a PaaS model, the customer manages the application and data, while the provider manages the underlying platform. Therefore, the company must implement encryption of data in memory within the application.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Both Microsoft and the company share this responsibility equally.
Why it's wrong here
While responsibilities are shared, data security (including data in memory) is exclusively the customer's domain. Microsoft does not access or control application memory. The customer is solely responsible for implementing encryption of data in memory. There is no shared responsibility for this specific task.
- ✗
A third-party encryption service that is automatically enabled for all Azure App Service deployments.
Why it's wrong here
Azure does not automatically enable encryption of data in memory for App Service. The customer must use their own encryption libraries or third-party solutions within the application code. No automatic service covers this requirement.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume PaaS means Microsoft handles all security, but the shared responsibility model clearly delineates that data security at the application layer—including in-memory encryption—remains the customer's obligation.
Detailed technical explanation
How to think about this question
In-memory encryption typically involves using operating system APIs like Windows Data Protection API (DPAPI) or .NET's `System.Security.Cryptography.ProtectedMemory` class, which encrypts data using a machine-derived key. In a PaaS environment, the application runs in a sandboxed worker process, and Microsoft cannot access the process's private virtual address space, making customer-side implementation mandatory. A real-world scenario is a healthcare app handling PHI under HIPAA, where the customer must ensure memory buffers are encrypted to prevent exposure during a memory dump or side-channel attack.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Describe cloud concepts — study guide chapter
Learn the concepts, then practise the questions
- →
Describe cloud concepts practice questions
Targeted practice on this topic area only
- →
All AZ-900 questions
1,031 questions across all exam domains
- →
Microsoft Azure Fundamentals AZ-900 study guide
Full concept coverage aligned to exam objectives
- →
AZ-900 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-900 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Describe cloud concepts practice questions
Practise AZ-900 questions linked to Describe cloud concepts.
Describe Azure architecture and services practice questions
Practise AZ-900 questions linked to Describe Azure architecture and services.
Describe Azure management and governance practice questions
Practise AZ-900 questions linked to Describe Azure management and governance.
AZ-900 Azure services practice questions
Practise AZ-900 questions linked to AZ-900 Azure services.
AZ-900 pricing and support practice questions
Practise AZ-900 questions linked to AZ-900 pricing and support.
AZ-900 security and compliance practice questions
Practise AZ-900 questions linked to AZ-900 security and compliance.
AZ-900 governance practice questions
Practise AZ-900 questions linked to AZ-900 governance.
Practice this exam
Start a free AZ-900 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-900 question test?
Describe cloud concepts — This question tests Describe cloud concepts — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The company, because it is responsible for securing its own application data and code. — In the shared responsibility model for PaaS like Azure App Service, Microsoft secures the physical host, OS, and platform runtime, but the customer retains responsibility for securing application-level data, including data in memory. Encrypting data in memory requires application code changes (e.g., using .NET's `ProtectedMemory` or Windows DPAPI), which is solely the customer's responsibility because Microsoft cannot access or manage the application's runtime memory contents.
What should I do if I get this AZ-900 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on AZ-900
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company migrates its web application to Azure App Service (PaaS) and its data to Azure SQL Database (PaaS). The company wants to understand which security responsibilities it retains after the migration. According to the shared responsibility model, which of the following responsibilities remains the responsibility of the company (customer) when using these PaaS services?
medium- A.Patching the operating system of the web server
- B.Managing network security groups for the virtual network
- ✓ C.Managing user access to the application and database
- D.Physical security of the Azure data center
Why C: In the shared responsibility model for PaaS, the cloud provider manages the underlying infrastructure, including the OS and network security groups, while the customer retains responsibility for managing access to their application and data. For Azure App Service and Azure SQL Database, this means the customer must configure authentication, authorization, and user permissions (e.g., using Azure Active Directory or SQL logins) to control who can access the application and database.
Variation 2. A company is migrating a web application to Azure. The web tier will run on Azure App Service (PaaS) and the database tier will use Azure SQL Database (PaaS). The company's IT team wants to understand their patching responsibilities for the underlying operating system (OS) of each service. According to the shared responsibility model, which statement is correct?
medium- A.The customer is responsible for patching the operating system of both Azure App Service and Azure SQL Database.
- B.Microsoft is responsible for patching the operating system of Azure App Service, and the customer is responsible for patching the operating system of Azure SQL Database.
- C.The customer is responsible for patching the operating system of Azure App Service, and Microsoft is responsible for patching the operating system of Azure SQL Database.
- ✓ D.Microsoft is responsible for patching the operating system of both Azure App Service and Azure SQL Database.
Why D: In the shared responsibility model, Microsoft manages the underlying infrastructure for Platform as a Service (PaaS) services. Both Azure App Service and Azure SQL Database are PaaS offerings, meaning Microsoft handles OS patching, updates, and security for the host OS. The customer is responsible only for their application code and data, not the OS. Therefore, option D is correct.
Last reviewed: Jun 11, 2026
This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.