Cyber Intelligence
Cloud Concepts · 25-30% of exam

L4. The Shared Responsibility Model in Azure

Video generating

Check back soon for the video lesson on The Shared Responsibility Model in Azure

The shared responsibility model defines the security boundary between Microsoft and the customer. The AZ-900 exam tests which party is responsible for which controls across IaaS, PaaS, and SaaS deployments.

What Is the Shared Responsibility Model?

In traditional on-premises environments, your organization is responsible for everything: the physical building, servers, networking, operating systems, applications, and data. When you move to the cloud, that responsibility shifts depending on the service model you choose.

The shared responsibility model defines exactly who is responsible for each security layer.

Responsibilities That Always Belong to Microsoft

Regardless of service model, Microsoft Azure is always responsible for:

  • Physical security of datacenters (access controls, surveillance, guards)
  • Physical network infrastructure (cables, routers, switches)
  • Physical hosts (the bare-metal servers powering virtualization)
  • The hypervisor (virtualization layer)

You cannot audit or modify these layers. Microsoft publishes third-party audit reports (SOC 2, ISO 27001) as evidence of compliance.

Responsibilities That Always Belong to the Customer

Regardless of service model, you are always responsible for:

  • Your data and data classification
  • User accounts and identities (who can access your Azure resources)
  • Devices (endpoints accessing your cloud services)
  • Information and data stored in the cloud

Layer-by-Layer Responsibility Shift

Security LayerIaaSPaaSSaaS
Physical datacenterMicrosoftMicrosoftMicrosoft
Physical networkMicrosoftMicrosoftMicrosoft
Physical hostsMicrosoftMicrosoftMicrosoft
Operating systemCustomerMicrosoftMicrosoft
Network controlsCustomerSharedMicrosoft
ApplicationsCustomerCustomerMicrosoft
Identity and directoryCustomerCustomerCustomer
DataCustomerCustomerCustomer

Why This Matters for Security

Misunderstanding the shared responsibility model leads to real breaches. The most common mistake is assuming Microsoft secures what the customer is actually responsible for.

Common customer failures:

  • Leaving Azure Storage accounts publicly accessible (customer responsibility)
  • Not enabling MFA on Azure Active Directory accounts (customer responsibility)
  • Running unpatched operating systems on Azure VMs (IaaS: customer responsibility)
  • Misconfiguring IAM permissions (always customer responsibility)
Exam tip: On the AZ-900 exam, any question about data security, identity management, or application-level controls is testing whether you understand that these remain customer responsibilities even in the cloud.

Exam Focus Points
  • Microsoft always owns: physical security, physical network, physical hosts, and the hypervisor
  • Customers always own: data, identities, devices, and information classification
  • IaaS: customer manages the OS and above; PaaS: customer manages applications and data; SaaS: customer manages data only
  • Network controls are a shared responsibility in PaaS deployments
  • Misconfigurations of IAM, storage access policies, and app permissions are always the customer's responsibility
Knowledge Check

1. A company is using Azure Virtual Machines (IaaS) and discovers their VMs are running an unpatched operating system. Who is responsible for patching the OS?

2. Which of the following is ALWAYS the customer's responsibility, regardless of whether they use IaaS, PaaS, or SaaS?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.

Start AZ-900 prep free10-day free trial available