1.2 Cloud Service Models (IaaS, PaaS, SaaS)

Quick Answer: Three service models, increasing abstraction: IaaS (you manage the OS and up), PaaS (you manage only your app and data), SaaS (you just use the software). Azure VMs = IaaS, Azure App Service and Azure SQL Database = PaaS, Microsoft 365 = SaaS.

The service models and the shared responsibility model are among the most heavily tested AZ-900 topics. Each model sets a different division of labor between you (the customer) and Microsoft (the provider). The single question that resolves most scenarios is: who manages the operating system?

Infrastructure as a Service (IaaS)

IaaS gives the most flexibility and the most responsibility. Microsoft runs the physical layer; you operate the virtual machine and everything inside it.

• Microsoft manages: physical hosts, physical network, data center (power, cooling, security), and the hypervisor.
• You manage: operating system, patching, runtime, middleware, applications, network configuration (NSGs, subnets), and data.
• Azure examples: Azure Virtual Machines, Azure Virtual Network, Azure Managed Disks, Azure Load Balancer.
• Use cases: lift-and-shift migrations, legacy or custom apps needing specific OS builds, full-control dev/test, and high-performance computing (HPC).

Platform as a Service (PaaS)

PaaS supplies a managed development and hosting platform. You deploy code; Azure runs the OS, runtime, and scaling underneath it.

• Microsoft manages: everything in IaaS plus the operating system, middleware, runtime, OS patching, and (often) automatic scaling.
• You manage: your application code, your data, and limited platform settings.
• Azure examples: Azure App Service (web apps/APIs), Azure SQL Database (managed relational DB), Azure Functions (serverless code), Azure Cosmos DB (managed NoSQL).
• Use cases: rapidly building web apps and APIs, developers who want zero server maintenance, microservices, and agile prototyping.

Software as a Service (SaaS)

SaaS delivers a complete, ready-to-use application, usually through a browser. You consume; the vendor runs the entire stack.

• Microsoft manages: the whole stack — infrastructure, platform, application, updates, and most security.
• You manage: your data and tenant configuration (users, permissions, policies).
• Examples: Microsoft 365 (Word, Excel, Teams, Outlook online), Dynamics 365 (CRM/ERP), OneDrive.
• Use cases: email and collaboration, CRM, and any need for finished software with no installation or maintenance.

Service Model Comparison

On the Exam: Scenario questions describe responsibilities, not labels. "The team patches the guest OS" = IaaS. "Developers push code and Azure handles servers and scaling" = PaaS. "Staff just sign in and use email" = SaaS.

The Shared Responsibility Model

This model defines which security duties belong to Microsoft and which belong to you. The split slides with the service model, but two rows never move to Microsoft.

The non-negotiable rule: the customer is always responsible for data, accounts/identities, and devices in every model. Microsoft is always responsible for the physical layer. Everything between them shifts with the model.

Serverless Computing

Serverless extends PaaS by abstracting even the platform sizing. You write a function; Azure provisions, scales from zero to many, and bills per execution.

• Azure Functions — event-driven code, billed per execution and per GB-second.
• Azure Logic Apps — visual workflow automation, billed per action.
• Azure Event Grid — event routing, billed per operation.

Serverless traits: no servers to manage, event-driven triggers (HTTP, timer, queue), automatic scale to zero, and micro-billing for actual run time.

Common Trap: "Managed" does not mean SaaS. Azure SQL Database is PaaS — you still own the data and schema; Microsoft only manages the engine and OS. SaaS means an entire end-user application like Microsoft 365.

Worked Scenario: Choosing a Service Model

A retailer wants to host a custom inventory application written for a specific Linux distribution with kernel modules it compiled itself. Because it needs full control of the operating system and can install arbitrary packages, IaaS (Azure Virtual Machines) is the right fit — PaaS would not expose the kernel. The same retailer also wants a customer-facing web storefront that the development team can push to several times a day without managing patching or load balancers; here PaaS (Azure App Service) is correct because the team only ships code.

Finally, the retailer's staff need email and document collaboration with zero administration of the underlying app; SaaS (Microsoft 365) delivers that. One company, three workloads, three different models — exactly the multi-part mapping AZ-900 presents.

How to Decide Quickly on the Exam

Work down this short decision list and stop at the first match:

1. Do you only sign in and use a finished app (email, CRM)? ⇒ SaaS.
2. Do you deploy your own code but never touch the OS, runtime, or scaling? ⇒ PaaS.
3. Do you install and patch the operating system and manage the VM yourself? ⇒ IaaS.

Cost and Effort Trade-off

The broad principle: as you move from IaaS toward SaaS you trade control for convenience. Choosing the right point on that spectrum is the most common Domain-1 service-model question, and the deciding factor is almost always how much of the operating system and platform the customer wants to manage.