2.1 Shared Responsibility Model

Shared responsibility clarifies cloud security ownership

The shared responsibility model explains who is accountable for parts of security when workloads move from on-premises environments to cloud services. In an on-premises environment, the organization manages the full technology stack: facilities, physical servers, networking, operating systems, applications, identities, and data. In cloud services, some of those responsibilities shift to the provider.

The exact division depends on the service model. Infrastructure as a Service delegates the physical datacenter, network hardware, and host machines to the provider, while the customer still manages operating systems, applications, configured network controls, and data. Platform as a Service shifts more platform work, including operating system and runtime responsibility, to the provider. Software as a Service delegates the application stack and underlying infrastructure, while the customer still manages access, data, and tenant configuration.

The exam trap is assuming cloud means security belongs entirely to Microsoft. It does not. Cloud adoption changes the split of tasks, but it does not remove customer accountability. Microsoft secures the parts of the service it operates. The customer decides what data is stored, who can access it, how identities are protected, which endpoints connect, and how tenant settings are configured.

Microsoft Learn highlights responsibilities customers always retain: data, identities and access, endpoints, and configuration choices. These are high-value SC-900 cues. If a scenario asks who classifies sensitive data, manages user permissions, secures laptops, or avoids overly permissive settings, the answer usually points to the customer side of the model.

Exam scenario cues

• If the scenario is about physical datacenter security for a cloud service, think provider responsibility.

• If the scenario is about user access, data classification, endpoint health, or tenant configuration, think customer responsibility.

• If the scenario moves from IaaS to PaaS or SaaS, expect the provider to handle more underlying platform work.

Shared responsibility also explains why Microsoft cloud services can improve security without making security automatic. Provider investment can reduce infrastructure burden, but the customer still needs governance, identity controls, monitoring, secure configuration, and data protection decisions. A misconfigured tenant or compromised identity can expose resources even when the underlying platform is secure.

For SC-900, learn the direction of responsibility shift rather than memorizing every possible control. On-premises gives the customer maximum control and maximum responsibility. SaaS gives the provider more operational responsibility, but the customer still owns business decisions around data, identities, endpoints, and configuration.