Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Software as a Service (SaaS)

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

What is Azure Policy?

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

What is Microsoft Entra ID?

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

What is security in the cloud?

The set of responsibilities the customer has to secure their data, identities, configurations, and how cloud services are used.

Security Foundations: The Shared Responsibility Model — Microsoft Azure Fundamentals (AZ-900) Deep-Dive Exam Prep

Q: In which service model is the customer responsible for managing the operating system (OS) of the compute resources?

Infrastructure as a Service (IaaS) only. In Infrastructure as a Service (IaaS), Microsoft manages the physical infrastructure and virtualization, but the customer manages the guest OS. In PaaS and SaaS, Microsoft manages the OS as part of the platform or application stack, so the customer does not patch or configure it directly.

Q: Which of the following is ALWAYS a customer responsibility, regardless of whether you use IaaS, PaaS, or SaaS?

Deciding which users get access to a business application. Deciding who gets access to an application (identity and access management) is always a customer responsibility. Microsoft handles physical security and datacenter operations. For managed databases like Azure SQL Database, Microsoft patches the engine; you configure access and data policies.

Why the Shared Responsibility Model Matters

Why This Topic Matters

Many Azure security failures come from assuming Microsoft handles more than it actually does. This module helps you see exactly where your duties stop and Microsoft’s begin.

Canonical Definition

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer. Memorize this wording.

Exam and Real World

On AZ-900, scenarios often ask who is responsible: Microsoft or the customer. In the real world, regulators do not accept "we thought Microsoft did it" as a defense after a breach.

What You Will Learn

You will map responsibilities across IaaS, PaaS, and SaaS, practice classifying controls, and relate the model to risk and governance decisions in Azure.

Provider vs Customer: The Big Picture

Security of vs in the Cloud

Microsoft secures the cloud itself. You secure what you put in the cloud: your data, identities, and configurations. This is the essence of shared responsibility.

Provider Responsibilities

Microsoft handles datacenter security, physical hardware, the virtualization layer, the Azure backbone network, and many built-in protections, like platform-level DDoS defenses.

Customer Responsibilities

You always own your data, identities, device security, subscription setup, and how each Azure or Microsoft 365 service is configured and used by your organization.

What Changes?

The middle of the stack shifts with IaaS, PaaS, and SaaS. As you move toward SaaS, Microsoft takes more; as you move toward IaaS, you take more.

Stack View: IaaS, PaaS, SaaS Responsibilities

The Security Stack

Visualize layers: datacenter, network, hardware, virtualization, OS, middleware, app, data, identities, devices. Shared responsibility decides who owns each layer.

IaaS Responsibilities

With IaaS, Microsoft manages datacenter, network, hardware, and virtualization. You manage the OS, middleware, apps, data, identities, and device security.

PaaS Responsibilities

With PaaS, Microsoft manages up through the runtime. You mainly manage app logic, data, access control, and how the platform’s security features are configured.

SaaS Responsibilities

With SaaS, Microsoft manages the full app stack. You still decide who can access it, what data is stored, retention and sharing policies, and device protections.

Concrete Azure Examples: IaaS, PaaS, SaaS

IaaS: Azure Virtual Machines

For Azure VMs, Microsoft secures the region, datacenters, and hypervisor. You patch the OS, configure VM firewalls, manage antimalware, encrypt disks, and control access.

PaaS: App Service + Azure SQL

For App Service and Azure SQL, Microsoft manages OS, runtime, and database engine. You secure code, enforce HTTPS, configure auth, firewall rules, and data retention.

SaaS: Microsoft 365

For Microsoft 365, Microsoft runs the full app stack. You configure MFA, conditional access, DLP, retention, sharing settings, and user awareness training.

Exam Pattern

If a task is inside the VM or app, it is usually customer. If it is physical infrastructure or core platform, it is Microsoft. Always consider the service model.

Customer Responsibilities That Never Go Away

Responsibilities That Stay With You

Some duties never move to Microsoft, no matter the service model: data governance, identity and access, endpoint security, and how you configure and monitor services.

Data and Identity

You decide what data to store, how it is classified and retained, and how Microsoft Entra ID and RBAC are configured, including MFA and conditional access.

Endpoints and Users

You secure laptops and phones, deploy endpoint protection, and train users to avoid phishing and risky behavior. Microsoft cannot control your people or devices.

Governance and Configuration

You design subscriptions and resource groups, set Azure Policy, enable monitoring, and respond to alerts. Microsoft provides tools, but you must use them wisely.

Thought Exercise: Who Owns This Control?

Work through these mini-scenarios. Decide whether the responsibility is Microsoft, Customer, or Shared (but customer-led). Then check the guidance.

Patching the host OS that runs Azure Virtual Machines

Who is responsible?
Guidance: This is the hypervisor host OS, not the guest OS inside your VM.

Enforcing multi-factor authentication for administrators

Who is responsible?
Think about Microsoft Entra ID configuration vs platform capability.

Configuring backup policies for an Azure SQL Database

Who is responsible?
Consider that Azure provides built-in backup features.

Physical security of Azure datacenters

Who is responsible?
Recall who owns and operates the buildings.

Deciding whether customer health data can be stored in a particular Azure region

Who is responsible?
Consider legal, regulatory, and risk decisions.

Suggested answers (do not peek until you decide):

Microsoft – host OS and hypervisor are provider responsibilities.
Customer – Microsoft Entra ID offers MFA, but you must configure and enforce it.
Shared, customer-led – Microsoft provides backup capability, but you choose policies and verify they meet your requirements.
Microsoft – Azure datacenters are fully under Microsoft’s control.
Customer – only you (with your legal team) can decide data residency and compliance posture.

Quick Check: Service Model Responsibilities

Test your understanding of how responsibilities change with IaaS, PaaS, and SaaS.

In which service model is the customer responsible for managing the operating system (OS) of the compute resources?

Infrastructure as a Service (IaaS) only
Infrastructure as a Service (IaaS) and Platform as a Service (PaaS)
Platform as a Service (PaaS) and Software as a Service (SaaS)
Software as a Service (SaaS) only

Show Answer

Answer: A) Infrastructure as a Service (IaaS) only

In Infrastructure as a Service (IaaS), Microsoft manages the physical infrastructure and virtualization, but the customer manages the guest OS. In PaaS and SaaS, Microsoft manages the OS as part of the platform or application stack, so the customer does not patch or configure it directly.

Quick Check: Always-Customer Responsibilities

Confirm you can spot responsibilities that never move to Microsoft.

Which of the following is ALWAYS a customer responsibility, regardless of whether you use IaaS, PaaS, or SaaS?

Physical security of the servers running your workloads
Deciding which users get access to a business application
Patching the database engine that runs Azure SQL Database
Maintaining power and cooling for Azure datacenters

Show Answer

Answer: B) Deciding which users get access to a business application

Deciding who gets access to an application (identity and access management) is always a customer responsibility. Microsoft handles physical security and datacenter operations. For managed databases like Azure SQL Database, Microsoft patches the engine; you configure access and data policies.

Shared Responsibility and Azure Governance Tools

Governance Reflects Responsibility

Shared responsibility shapes how you use governance tools. Microsoft operates them; you configure them to express your security and compliance decisions.

Microsoft Entra ID

Microsoft Entra ID manages identities and sign-in. You configure password policies, MFA, conditional access, and who can access which apps and Azure resources.

RBAC and Azure Policy

RBAC controls who can manage Azure resources. Azure Policy enforces rules like "storage accounts must be encrypted". You design and assign both.

Exam Connection

If the task is "enforce a rule" or "limit who can do X", think Azure Policy and RBAC. That is your side of the shared responsibility model.

Mini Case Study: Misplaced Assumptions

Scenario: Moving to SaaS

A company moves its file server to SharePoint Online and assumes Microsoft now handles all security, so they ignore access control and data loss prevention.

What Microsoft Handles

Microsoft secures the datacenters, patches the stack, encrypts data, and provides features like versioning and anti-malware scanning for SharePoint Online.

What the Customer Missed

They left external sharing wide open, skipped MFA, did not configure DLP or labels, and did not train users. A confidential file was overshared externally.

Responsibility Lesson

The incident stems from customer misconfiguration, not Microsoft. Exam answers will focus on customer-side controls such as DLP, conditional access, and sharing policies.

Key Terms and Definitions Review

Use these flashcards to reinforce the canonical definitions and core ideas related to the shared responsibility model.

shared responsibility model: The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Infrastructure as a Service (IaaS): Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
Platform as a Service (PaaS): Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS): Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
Microsoft Entra ID: Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
role-based access control (RBAC): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy: Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Customer responsibility that never goes away: Data governance and classification, identity and access management, endpoint security, and configuration/governance decisions remain customer responsibilities across IaaS, PaaS, and SaaS.
Security of the cloud vs in the cloud: Microsoft is responsible for the security of the cloud (infrastructure and platform). The customer is responsible for security in the cloud (data, identities, configurations, and usage).

Pulling It Together and Next Steps in Your Path

Core Definition

Remember: the shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Service Models Recap

In IaaS you manage OS and above, in PaaS you focus on code, data, and access, and in SaaS you mainly manage identities, data use, and configuration settings.

Always Your Job

Data governance, identity and access, endpoint security, and governance tools like RBAC and Azure Policy are always customer responsibilities.

Next Steps

Use the diagnostic, mock exams, spaced review, and gap guide in this Skarp course to solidify your ability to classify responsibilities across Azure scenarios.

Key Terms

Azure Policy: Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Microsoft Entra ID: Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
security in the cloud: The set of responsibilities the customer has to secure their data, identities, configurations, and how cloud services are used.
security of the cloud: The set of responsibilities Microsoft has to secure the underlying cloud infrastructure, including datacenters, hardware, and core platform services.
shared responsibility model: The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Platform as a Service (PaaS): Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS): Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
role-based access control (RBAC): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Infrastructure as a Service (IaaS): Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.