Azure Shared Responsibility Model Guide: Security of vs. in the Cloud 2026
Updated April 23, 2026 | 7 min read
This guide is for anyone preparing for Azure AZ-900 or AZ-104 in 2026 who keeps getting shared responsibility questions wrong and needs a clear mental model.
What Is the Shared Responsibility Model?
The shared responsibility model is the foundation of cloud security on Azure. It clarifies who is accountable for each layer of the stack: Microsoft or the customer. As you move from on-premises to IaaS, PaaS, and SaaS, Microsoft takes on more responsibility — but the customer never hands off everything.
On the AZ-900 exam, you must be able to look at any Azure service and instantly know which security tasks belong to you and which belong to Microsoft. This guide gives you a clear mental model and a service-by-service reference table you can review before exam day.
New to Azure cloud concepts?
Read our beginner-friendly guide to IaaS, PaaS, and SaaS with Azure examples.
IaaS vs PaaS vs SaaS GuideMicrosoft Responsibilities (Security OF the Cloud)
Microsoft is always responsible for the physical and environmental security of the cloud. This includes:
- Physical datacenters: Buildings, power, cooling, and physical access controls
- Network infrastructure: Routers, switches, and backbone connectivity between regions
- Virtualization hosts: Hypervisors and host operating systems
- Platform patching: Patching the underlying PaaS and SaaS platforms
Think of this as security of the cloud — the infrastructure that makes Azure possible. You cannot see it or touch it, and you do not manage it.
Customer Responsibilities (Security IN the Cloud)
The customer is always responsible for data and access. No matter which service model you choose, you own:
- Data: Classification, ownership, encryption at rest and in transit, backups
- Identity and access: User accounts, passwords, MFA, Conditional Access policies
- Endpoints: Devices and clients that connect to your Azure resources
- Account management: Subscription governance, RBAC assignments, billing
As you move up the stack from IaaS to SaaS, your responsibility shrinks — but data and identity remain yours forever. That is the key AZ-900 insight.
Service-by-Service Breakdown
| Layer | On-Premises | IaaS (VMs) | PaaS (App Service) | SaaS (Microsoft 365) |
|---|---|---|---|---|
| Data | Customer | Customer | Customer | Customer |
| Endpoints | Customer | Customer | Customer | Customer |
| Account & Access | Customer | Customer | Customer | Customer |
| Identity | Customer | Customer | Customer | Customer |
| Application | Customer | Customer | Customer | Microsoft |
| Runtime | Customer | Customer | Microsoft | Microsoft |
| OS | Customer | Customer | Microsoft | Microsoft |
| Virtualization | Customer | Microsoft | Microsoft | Microsoft |
| Network | Customer | Microsoft | Microsoft | Microsoft |
| Physical | Customer | Microsoft | Microsoft | Microsoft |
Memory trick for the exam: The customer always owns the top four rows (data, endpoints, account, identity). Microsoft always owns the bottom three (virtualization, network, physical). The middle three (application, runtime, OS) shift depending on the service model.
Common AZ-900 Exam Traps
The shared responsibility model is tightly linked to cloud service models. If you need a refresher on IaaS, PaaS, and SaaS with real Azure examples, see our IaaS vs PaaS vs SaaS guide. For a quick pre-exam review, our printable cheat sheet covers both topics.
- Trap 1 — "Microsoft handles all security in PaaS." False. You still manage data, identity, and endpoints. Microsoft only takes runtime and OS.
- Trap 2 — "SaaS means zero customer responsibility." False. You still own data and account access. If you leak admin credentials, that is on you.
- Trap 3 — "IaaS VM patching is Microsoft's job." False. OS patching is the customer's responsibility for IaaS VMs unless you use VM extensions or Azure Update Manager.
- Trap 4 — "The model is the same for every Azure service." False. Azure SQL Database (PaaS) and SQL Server on a VM (IaaS) have different responsibility splits even though the engine is similar.
Avoid exam traps with realistic practice
Our AZ-900 tests include shared responsibility questions that mirror the real exam.
Start Free Mock ExamFrequently Asked Questions
What is the Azure shared responsibility model?
The Azure shared responsibility model defines security and management duties split between Microsoft (security OF the cloud) and the customer (security IN the cloud). The exact split depends on the service model.
Who is responsible for OS patching in Azure VMs?
For Azure Virtual Machines (IaaS), the customer is responsible for OS patching, application updates, and data security. Microsoft manages only the physical host, network, and datacenter infrastructure.
Does Microsoft manage firewall rules in Azure SQL Database?
No. While Microsoft manages the SQL Database platform and OS, the customer must configure firewall rules, access control, data classification, and encryption settings.
Which Azure service model shifts the most responsibility to Microsoft?
SaaS (Software as a Service) shifts the most responsibility to Microsoft. The customer only manages data and identity access, while Microsoft handles the application, runtime, OS, and infrastructure.
Is the shared responsibility model tested on AZ-900?
Yes. AZ-900 consistently tests whether you know who is responsible for what across IaaS, PaaS, and SaaS. Expect 2-4 questions on this topic in every exam.
Lock in your shared responsibility knowledge
Free unlimited practice tests with instant explanations.
Start Free Mock Exam