SkarpChapter 5 of 20
Security Foundations in the Cloud: The Shared Responsibility Model
Trace exactly where the cloud provider’s security duties end and yours begin so you can avoid common exam traps and real-world misunderstandings.
Why the Shared Responsibility Model Matters
Why This Matters
In Azure, security is never 100% Microsoft’s job or 100% the customer’s job. Misunderstanding this is a major real-world failure point and a frequent AZ-900 exam trap.
Canonical Definition
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer. Memorize this wording.
From On-Prem to Cloud
In traditional on-premises IT, your organization owned almost everything: data center, networking, servers, OS, apps, and data. With cloud computing, these responsibilities are split.
High-Level Split
Microsoft Azure secures the underlying cloud infrastructure and platform. You are responsible for securing the things you configure and deploy on top of that platform.
Exam Focus
For AZ-900, you must recall the definition, map responsibilities to Microsoft vs customer, see how they shift across IaaS/PaaS/SaaS, and spot questions that assume "the provider secures everything."
Reconnecting to Cloud and Service Models
Cloud Computing Reminder
Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
Deployment Models
Public, private, and hybrid cloud define who owns infrastructure and where it runs. This ownership strongly influences who is responsible for which security controls.
Public, Private, Hybrid
Public cloud: Microsoft hosts for many tenants. Private cloud: resources for one organization. Hybrid cloud: combines both and lets data and apps move between them.
Service Models
IaaS gives virtual servers and networks, PaaS gives a full dev platform, SaaS gives finished apps. Each step up means Microsoft manages more layers for you.
Why This Matters
The shared responsibility model changes with the deployment and service model. On exams, always identify the model first; it tells you where the security line likely falls.
The Security Stack: Visualizing the Layers
The Security Stack
Visualize a stack from physical data center up to data and identities. Each layer can have security responsibilities owned by Microsoft, by you, or shared.
Layers 1–4
Bottom layers: physical data center, physical network, physical hosts, and virtualization. In Azure, Microsoft owns and secures these for public cloud.
Layers 5–8
Middle layers: operating system, middleware/runtime, applications, and data. Responsibility here shifts depending on IaaS, PaaS, or SaaS.
Layers 9–10
Top layers: identities and access, plus policies, governance, and compliance. These are always at least partly your responsibility.
Key Rule of Thumb
Microsoft secures the cloud; you secure what you put in the cloud. We will now map that rule onto IaaS, PaaS, and SaaS more precisely.
Shared Responsibility in IaaS: Azure Virtual Machines
IaaS Refresher
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
IaaS Scenario
You run a web app on an Azure Virtual Machine in the public cloud. You control the OS and software; Microsoft provides the underlying infrastructure.
Microsoft in IaaS
Microsoft secures physical data centers, hardware, hypervisor, and core Azure networking. It ensures the Azure VM platform is available and isolated between tenants.
Customer in IaaS
You secure the OS, applications, data, and network configuration (NSGs, firewalls). You manage identities, access, logging, and compliance for your resources.
Common Exam Trap
In IaaS, Azure does not patch your VM OS. If a question claims Azure patches your IaaS VM OS by default, that statement is incorrect for AZ-900.
Shared Responsibility in PaaS: Azure App Service and Databases
PaaS Refresher
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
App Service Scenario
You deploy a web app to Azure App Service. Microsoft manages the OS, runtime, and web server. You focus on your code, configuration, and data.
Microsoft in PaaS
Microsoft secures and patches the OS, web server, and runtime. It provides built-in high availability, scaling, and platform-level protections.
Customer in PaaS
You secure your application code, secrets, and data. You configure authentication, authorization, network access, and monitoring.
Database Example and Trap
For Azure SQL Database, Microsoft patches the OS and SQL engine. You design schemas, set permissions, and enable encryption. You do not patch the engine yourself.
Shared Responsibility in SaaS: Microsoft 365 and Third-Party Apps
SaaS Refresher
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Microsoft 365 Scenario
Your organization uses Microsoft 365 for email, files, and collaboration. Microsoft runs the apps; you configure how your organization uses them.
Microsoft in SaaS
Microsoft operates and secures the full service stack, including the application code, underlying platforms, and global infrastructure.
Customer in SaaS
You manage identities, access, data governance, and configuration. You secure endpoints and train users to handle data safely.
Common SaaS Misconception
SaaS does not mean Microsoft is fully responsible for data security. You still control who can access data, how it is shared, and retention policies.
Microsoft vs Customer: Cross-Cutting Security Responsibilities
Always Microsoft
Microsoft consistently owns physical security, hardware and network infrastructure, hypervisors, and many platform-level protections and certifications.
Always You
You always own identity and access, configuration and hardening, data classification, monitoring, and incident response in your tenant.
Key Azure Tools
Microsoft Entra ID manages identities. Role-based access control (RBAC) controls who can do what with Azure resources.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Exam Perspective
Even though Microsoft provides RBAC and Azure Policy, it is your job to design and apply them. Unconfigured tenants are a customer-side risk, not a Microsoft failure.
Thought Exercise: Who Owns This Control?
Work through these scenarios and decide whether the primary responsibility lies with Microsoft, the customer, or is shared. Think your answer through before revealing the explanation mentally.
- Physical access to Azure data centers
- Who controls badge readers, security guards, and visitor logs?
- Expected answer: Microsoft. Customers do not walk into Azure data centers.
- Enabling multifactor authentication (MFA) for admins
- Who decides whether MFA is required for global admins in Microsoft Entra ID?
- Expected answer: Customer. Microsoft provides the capability, but you must configure it. (Some security defaults exist, but responsibility for your tenant’s MFA posture is yours.)
- Patching a Windows Server VM running in Azure IaaS
- Who schedules and applies OS updates?
- Expected answer: Customer. Unless you enable a managed patching solution, Azure does not patch your IaaS VM OS.
- Applying a regulatory standard (for example, GDPR) to how your app processes personal data
- Who designs processes so that data is collected, stored, and deleted correctly?
- Expected answer: Customer. Microsoft provides compliant infrastructure and tools, but you design your app and data flows.
- Keeping the Azure portal itself available
- Who ensures https://portal.azure.com is up and reachable (service-side)?
- Expected answer: Microsoft. If the portal is down globally, that is on Microsoft.
- Ensuring only approved regions are used for deployments
- Who defines and enforces "we only deploy to EU regions"?
- Expected answer: Customer, using tools like Azure Policy.
As you review exam questions, mentally tag each responsibility: platform (Microsoft) vs configuration and usage (customer).
Quick Check: IaaS vs PaaS vs SaaS Responsibilities
Test your understanding of how responsibilities shift across service models.
In which service model is Microsoft responsible for managing and patching the operating system that runs your application code, while you remain responsible for the application logic and data?
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- None of the above; OS patching is always the customer’s job
Show Answer
Answer: B) Platform as a Service (PaaS)
In **Platform as a Service (PaaS)**, Microsoft manages and patches the OS, runtime, and platform (for example, Azure App Service or Azure SQL Database). You focus on your application code and data. In IaaS, you patch the OS yourself. In SaaS, you usually do not deploy your own code at all; Microsoft runs the entire application.
Quick Check: Who Is Responsible?
Another short quiz to reinforce responsibility boundaries.
Your company stores sensitive customer data in Microsoft 365 (SharePoint and OneDrive). Who is primarily responsible for configuring data loss prevention (DLP) policies to prevent accidental sharing of this data outside the organization?
- Microsoft, because it operates Microsoft 365
- The customer organization’s administrators
- The end users who upload the files
- No one; DLP is automatic and requires no configuration
Show Answer
Answer: B) The customer organization’s administrators
In a SaaS model like Microsoft 365, Microsoft runs the platform, but the **customer’s administrators** are responsible for configuring security features such as DLP, retention policies, and sharing settings. End users must follow policy, but admins own the configuration.
Using Shared Responsibility to Choose Service and Deployment Models
Service Model Trade-Offs
IaaS gives maximum control and maximum security work. PaaS reduces OS and platform tasks. SaaS minimizes operations but still leaves you with identity and data duties.
Deployment Model Trade-Offs
Public cloud: Microsoft handles physical and infra security. Private cloud: you take those back. Hybrid: you juggle both responsibility patterns at once.
Regulation and Risk
Regulated workloads often benefit from PaaS/SaaS services with strong built-in compliance, while you focus on configuring access, retention, and data protection.
Exam Strategy
When faced with choices like VMs vs App Service vs Microsoft 365, ask: who should manage which security layers? That usually points to the right service model.
Key Reminder
Moving toward SaaS shifts operational security to Microsoft, but your responsibilities for data, identities, and configuration never disappear.
Key Terms: Shared Responsibility and Azure Security
Use these flashcards to reinforce core definitions and responsibility splits.
- shared responsibility model
- The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
- cloud computing
- Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
- Infrastructure as a Service (IaaS)
- Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
- Platform as a Service (PaaS)
- Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
- Software as a Service (SaaS)
- Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
- Microsoft Entra ID
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- role-based access control (RBAC)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- Azure Policy
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- Who patches the OS in IaaS?
- In IaaS, the customer is responsible for patching and securing the operating system running in their virtual machines.
- Who configures MFA for admins?
- The customer configures multifactor authentication policies in Microsoft Entra ID, even though Microsoft provides the MFA capability.
Key Terms
- Azure Policy
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- hybrid cloud
- A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
- public cloud
- A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
- private cloud
- A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
- cloud computing
- Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
- Microsoft Entra ID
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- shared responsibility model
- The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
- Platform as a Service (PaaS)
- Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
- Software as a Service (SaaS)
- Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
- role-based access control (RBAC)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- Infrastructure as a Service (IaaS)
- Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.