Question 157 of 1,031
Describe cloud conceptsmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is Microsoft, because Azure SQL Database is a fully managed Platform as a Service (PaaS) offering where the shared responsibility model assigns patching of the database engine to the cloud provider. Under this model, Microsoft automatically handles security patches for the underlying operating system and the SQL Server software, while you remain responsible for securing your data, managing user access, and configuring database-level settings. On the AZ-900 exam, this scenario tests your understanding of how PaaS shifts operational tasks away from the customer—a common trap is assuming you still patch the engine just because you did on-premises. Remember the key distinction: with IaaS, you patch; with PaaS like Azure SQL Database, Microsoft patches. A simple memory tip is “PaaS = Provider patches the server, you protect the data.”

AZ-900 Describe cloud concepts Practice Question

This AZ-900 practice question tests your understanding of describe cloud concepts. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company is migrating its on-premises SQL Server databases to Azure SQL Database, which is a Platform as a Service (PaaS) offering. The on-premises IT team is accustomed to manually applying monthly security patches to the SQL Server software. After the migration, the team wants to understand their responsibilities for securing the database. According to the shared responsibility model, which party is responsible for applying security patches to the SQL Server database engine in Azure SQL Database?

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Microsoft, because Azure SQL Database is a PaaS service where Microsoft manages the database engine.

Azure SQL Database is a Platform as a Service (PaaS) offering where Microsoft manages the underlying infrastructure, including the operating system and the SQL Server database engine. Under the shared responsibility model, Microsoft is responsible for applying security patches to the database engine, while the customer is responsible for securing their data, access controls, and database-level configurations. This frees the customer from manual patching tasks they performed on-premises.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The customer, because the database engine is a customer-managed application.

    Why it's wrong here

    This is incorrect. In PaaS, the database engine is managed by the cloud provider (Microsoft), not the customer. The customer manages data and access, not the platform components like the database engine.

  • Microsoft, because Azure SQL Database is a PaaS service where Microsoft manages the database engine.

    Why this is correct

    Correct. For PaaS services like Azure SQL Database, Microsoft is responsible for maintaining the database engine, including applying security patches. The customer focuses on data, schema, and access controls.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Both the customer and Microsoft share equal responsibility for patching the database engine.

    Why it's wrong here

    This is incorrect. The responsibility for patching the database engine is not shared equally; Microsoft handles the engine patching entirely. The customer's responsibilities are around the data and access management, not the platform patching.

  • The customer, but only if the Azure SQL Database is configured with the serverless compute tier.

    Why it's wrong here

    This is incorrect. The serverless compute tier in Azure SQL Database is a scaling option for compute resources, but it does not change the shared responsibility model. Microsoft remains responsible for patching the database engine regardless of the compute tier.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates mistakenly apply on-premises patching habits to PaaS, assuming the customer retains full control over the database engine, when in fact Microsoft manages the underlying platform and engine updates under the shared responsibility model.

Detailed technical explanation

How to think about this question

Under the hood, Azure SQL Database runs on a multi-tenant service fabric where Microsoft applies patches to the SQL Server engine via automated update processes, often during maintenance windows, without customer intervention. The customer retains control over database-level security such as firewall rules, authentication (Azure AD or SQL logins), and data encryption (Transparent Data Encryption or Always Encrypted). A real-world scenario: if a critical SQL Server vulnerability like CVE-2023-XXXX is disclosed, Microsoft patches the engine across all Azure SQL Database instances, while the customer must still ensure their application connection strings use encrypted connections (TLS 1.2+) and that least-privilege access is enforced.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-900 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-900 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-900 question test?

Describe cloud concepts — This question tests Describe cloud concepts — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Microsoft, because Azure SQL Database is a PaaS service where Microsoft manages the database engine. — Azure SQL Database is a Platform as a Service (PaaS) offering where Microsoft manages the underlying infrastructure, including the operating system and the SQL Server database engine. Under the shared responsibility model, Microsoft is responsible for applying security patches to the database engine, while the customer is responsible for securing their data, access controls, and database-level configurations. This frees the customer from manual patching tasks they performed on-premises.

What should I do if I get this AZ-900 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on AZ-900

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company migrates its on-premises servers to Azure virtual machines (IaaS model). The security team is planning the patching strategy and asks who is responsible for installing security updates on the guest operating system of the Azure VMs. According to the shared responsibility model, which statement is correct?

medium
  • A.Microsoft is responsible for maintaining and patching the guest operating system on Azure virtual machines.
  • B.The customer is responsible for maintaining and patching the guest operating system on Azure virtual machines.
  • C.Microsoft is responsible for patching any application software that runs on Azure virtual machines.
  • D.The customer is responsible for the physical security of the Azure datacenter where the virtual machines are hosted.

Why B: In the shared responsibility model for IaaS, the customer retains control over the guest operating system, applications, and data. Microsoft manages the physical host, hypervisor, and underlying Azure infrastructure, but the customer must install and maintain security updates on the guest OS of their Azure VMs. This is because the customer has full administrative access to the VM and is responsible for its configuration and patch management.

Variation 2. A company is migrating its on-premises virtual machines (VMs) to Azure using the Infrastructure as a Service (IaaS) model. The VMs run a custom legacy application that requires specific OS-level configurations. The company's IT team wants to understand which party is responsible for applying operating system security patches after the migration. According to the shared responsibility model, who is responsible for patching the OS of the Azure VMs?

medium
  • A.Microsoft is fully responsible for applying OS patches to the virtual machines.
  • B.The company is responsible for patching the operating system on the virtual machines.
  • C.Responsibility is shared equally between Microsoft and the company for OS patching.
  • D.Responsibility depends on whether the VM uses Windows or Linux; Microsoft patches Windows VMs and the company patches Linux VMs.

Why B: In the shared responsibility model for IaaS, the customer retains control over the operating system, including applying security patches. Microsoft manages the physical host, hypervisor, and Azure infrastructure, but the customer is responsible for OS-level configurations and updates on their virtual machines. This applies to both Windows and Linux VMs, regardless of whether the OS is provided by Azure or the customer.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.