L4. The Shared Responsibility Model in Azure
Video generating
Check back soon for the video lesson on The Shared Responsibility Model in Azure
The shared responsibility model defines the security boundary between Microsoft and the customer. The AZ-900 exam tests which party is responsible for which controls across IaaS, PaaS, and SaaS deployments.
What Is the Shared Responsibility Model?
In traditional on-premises environments, your organization is responsible for everything: the physical building, servers, networking, operating systems, applications, and data. When you move to the cloud, that responsibility shifts depending on the service model you choose.
The shared responsibility model defines exactly who is responsible for each security layer.
Responsibilities That Always Belong to Microsoft
Regardless of service model, Microsoft Azure is always responsible for:
- Physical security of datacenters (access controls, surveillance, guards)
- Physical network infrastructure (cables, routers, switches)
- Physical hosts (the bare-metal servers powering virtualization)
- The hypervisor (virtualization layer)
You cannot audit or modify these layers. Microsoft publishes third-party audit reports (SOC 2, ISO 27001) as evidence of compliance.
Responsibilities That Always Belong to the Customer
Regardless of service model, you are always responsible for:
- Your data and data classification
- User accounts and identities (who can access your Azure resources)
- Devices (endpoints accessing your cloud services)
- Information and data stored in the cloud
Layer-by-Layer Responsibility Shift
| Security Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Physical datacenter | Microsoft | Microsoft | Microsoft |
| Physical network | Microsoft | Microsoft | Microsoft |
| Physical hosts | Microsoft | Microsoft | Microsoft |
| Operating system | Customer | Microsoft | Microsoft |
| Network controls | Customer | Shared | Microsoft |
| Applications | Customer | Customer | Microsoft |
| Identity and directory | Customer | Customer | Customer |
| Data | Customer | Customer | Customer |
Why This Matters for Security
Misunderstanding the shared responsibility model leads to real breaches. The most common mistake is assuming Microsoft secures what the customer is actually responsible for.
Common customer failures:
- Leaving Azure Storage accounts publicly accessible (customer responsibility)
- Not enabling MFA on Azure Active Directory accounts (customer responsibility)
- Running unpatched operating systems on Azure VMs (IaaS: customer responsibility)
- Misconfiguring IAM permissions (always customer responsibility)
- ✓Microsoft always owns: physical security, physical network, physical hosts, and the hypervisor
- ✓Customers always own: data, identities, devices, and information classification
- ✓IaaS: customer manages the OS and above; PaaS: customer manages applications and data; SaaS: customer manages data only
- ✓Network controls are a shared responsibility in PaaS deployments
- ✓Misconfigurations of IAM, storage access policies, and app permissions are always the customer's responsibility
1. A company is using Azure Virtual Machines (IaaS) and discovers their VMs are running an unpatched operating system. Who is responsible for patching the OS?
2. Which of the following is ALWAYS the customer's responsibility, regardless of whether they use IaaS, PaaS, or SaaS?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.