The Azure Shared Responsibility Model, Finally Explained
The shared responsibility model is the Microsoft AZ-900 concept everyone thinks they understand — until the exam asks exactly where Microsoft's job ends and theirs begins. Here's the clear version.

Of all the cloud-concepts topics on the Microsoft AZ-900 exam, the shared responsibility model produces the most confident wrong answers. It feels obvious — Microsoft handles security in the cloud, right? — until an Azure Fundamentals question asks precisely which party is responsible for a specific thing, and the obvious answer turns out to be wrong. Here's how to think about it so those questions become easy.
Why “shared” is the word that trips people
Security in the cloud isn't Microsoft's job or yours — it's split, and the split changes depending on the service. People get it wrong because they reach for a single rule ("the cloud provider secures everything") when the real model is a sliding scale. Once you see it as a line that moves, the confusion disappears.
What's always yours, and always Microsoft's
Two things never change, no matter the service. Microsoft is always responsible for the physical security of its datacenters — the buildings, hardware, and network backbone. And you are always responsible for your data and your identities — the information you put in Azure and the accounts that access it. If an AZ-900 question is about a stolen password or a misconfigured permission, that's your side of the line, every time.
The line moves with the service model
Between those two fixed points, responsibility shifts with how much of the stack Microsoft manages. With IaaS, you own the operating system, network configuration, and applications. With PaaS, Microsoft takes over the OS and runtime, leaving you the application and its data. With SaaS, Microsoft handles almost everything and you're left mainly with data, accounts, and access settings. The more managed the service, the smaller your share — but data and identity never leave your plate.
A simple rule for the exam
When a Microsoft AZ-900 question asks "who is responsible for X?", ask yourself two things: is X physical infrastructure (always Microsoft) or is X data/identity (always you)? If it's neither, decide based on the service model — the more the provider manages, the more likely it's Microsoft's. That two-step check answers nearly every shared-responsibility question on the exam.
Why it matters beyond the exam
This isn't just exam trivia. Most real cloud breaches happen on the customer's side of the line — a storage container left public, a weak or unprotected identity, a misconfigured access policy. Understanding the model is what keeps "the cloud is secure" from turning into a false sense of safety. Azure Fundamentals teaches it for exactly this reason, and practising AZ-900 questions on ExamStudyApp is the quickest way to make where the line sits stick.
Test your understanding
The shared responsibility model is best learned by answering scenario questions, because that's how the exam frames it. Work through AZ-900 shared-responsibility questions on ExamStudyApp, and let the explanations confirm why each responsibility falls where it does. ExamStudyApp's readiness tracking will tell you when this domain — and the rest of Microsoft Certified: Azure Fundamentals — is solid enough to book.


