Azure Shared Responsibility Model: What Microsoft Manages vs What You Manage
The shared responsibility model describes the division of security and management duties between Microsoft and Azure customers. Microsoft handles the physical infrastructure; you handle what you put on top of it. Where the boundary falls depends on which type of service you use — Infrastructure as a Service, Platform as a Service, or Software as a Service — and misunderstanding this boundary is one of the most common sources of security gaps in cloud deployments.
Why the Model Matters
Before cloud computing, running software meant owning or leasing physical servers. Your security team was responsible for everything: the building’s physical access, the hardware, the network, the operating system, the application, and the data. Nothing was shared because nothing was hosted by someone else.
When you move to Azure, Microsoft takes on some of those responsibilities — but not all of them. The specific split depends on the service model. The dangerous misconception is assuming that “moving to the cloud” means Microsoft takes care of security. It does not. Microsoft handles security for the layers it owns. The layers you still own require the same attention they always did.
A well-configured Azure deployment with strong access control, patched systems, encrypted data, and proper network segmentation is your team’s work. Azure provides the tools and the foundation; using them correctly is your responsibility.
The Responsibility Matrix: IaaS vs PaaS vs SaaS
The table below shows who is responsible for each security domain across the three service models. “Customer” means you own it. “Microsoft” means Microsoft handles it. “Shared” means both parties have responsibilities in that area.
| Responsibility Area | IaaS (Azure VM) | PaaS (Azure App Service, AKS) | SaaS (Microsoft 365) | On-Premises |
|---|---|---|---|---|
| Physical datacenter, power, cooling | Microsoft | Microsoft | Microsoft | Customer |
| Physical network hardware | Microsoft | Microsoft | Microsoft | Customer |
| Host hardware and hypervisor | Microsoft | Microsoft | Microsoft | Customer |
| Host OS and virtualization layer | Microsoft | Microsoft | Microsoft | Customer |
| Guest OS (inside the VM/container) | Customer | Microsoft | Microsoft | Customer |
| OS patching and updates | Customer | Microsoft | Microsoft | Customer |
| Network controls (firewalls, NSGs, routing) | Customer | Shared | Microsoft | Customer |
| Identity and access management | Shared | Shared | Shared | Customer |
| Application code and configuration | Customer | Customer | Microsoft | Customer |
| Data classification and encryption | Customer | Customer | Shared | Customer |
| Endpoint security (client devices) | Customer | Customer | Customer | Customer |
| Backup and disaster recovery | Customer | Shared | Shared | Customer |
“Shared” does not mean you can ignore that row. It means both parties have a role. For identity, for example, Microsoft provides Microsoft Entra ID as the identity platform (their part), but whether you enable multi-factor authentication, configure conditional access policies, and audit sign-in logs is your responsibility (your part). Skipping your part of a “shared” responsibility leaves a security gap regardless of what Microsoft does.
IaaS: Azure Virtual Machines
Infrastructure as a Service gives you the most control and the most responsibility. An Azure VM is a virtual computer running on Microsoft’s hardware in Microsoft’s datacenter. Microsoft handles everything from the concrete walls to the hypervisor. The moment your operating system boots inside the VM, you are responsible.
What this means in practice for a team running Azure VMs:
- OS patching: You must keep the Windows Server or Linux OS inside the VM patched. Azure provides Azure Update Manager to help automate this, but the decision to patch and the act of applying patches is yours. An unpatched VM with a known vulnerability is your risk.
- Firewall and NSG configuration: Azure provides Network Security Groups (NSGs) to filter traffic to and from VMs. Whether you configure those NSGs correctly — blocking unnecessary ports, allowing only required traffic — is your responsibility. A misconfigured NSG that allows SSH or RDP from the public internet is a customer mistake, not an Azure failure.
- Antivirus and endpoint protection: Running antivirus software on your VMs is your responsibility. Azure Defender for Servers can provide this, but it must be explicitly enabled and paid for.
- Disk encryption: Azure encrypts storage at rest by default (Azure Storage Service Encryption), but whether you also encrypt your VM disks with Azure Disk Encryption for customer-managed keys depends on your compliance requirements and is your decision.
- Backup: Snapshot-based backups of VM disks must be configured by you. Azure Backup is the recommended service for this, but you must set it up.
PaaS: Azure App Service and Azure SQL Database
Platform as a Service abstracts the operating system. When you run an application on Azure App Service, you deploy your code into a managed container that Microsoft operates. You do not SSH into the underlying host, and you do not patch the OS. That burden shifts to Microsoft.
What remains your responsibility on PaaS:
- Application code: If your application has a SQL injection vulnerability, that is not something Azure can prevent. Writing secure code is always the customer’s job.
- Access control: Who can deploy to the App Service? Who can read the database? Configuring RBAC, network access restrictions, and authentication providers is your work. An App Service with no authentication configured is accessible to anyone who knows the URL.
- Data protection: Azure SQL Database offers Transparent Data Encryption (TDE) enabled by default. But whether your data should also be encrypted at the application level before it reaches the database, and how you manage the encryption keys, is a decision you make based on your requirements.
- Configuration of PaaS features: Azure App Service has TLS settings, access restriction rules, and managed identity options. These are not configured by default to the most secure settings. You configure them according to your requirements.
A practical example: Azure SQL Database automatically applies security patches to the database engine. You never have to think about patching SQL Server. But if a developer writes a query that does not use parameterized inputs, SQL injection is possible — that vulnerability is in your code, and Azure patching the database engine does not fix it.
See Azure Security Best Practices for concrete steps to harden PaaS services.
SaaS: Microsoft 365 and Azure-Native SaaS
Software as a Service means you consume a fully managed application. Microsoft 365 (Teams, SharePoint, Exchange) is the most common SaaS example for Azure customers. Microsoft manages everything except your data, users, and configuration.
On SaaS you are still responsible for:
- User accounts and access: Who has access to Teams? Who is a SharePoint admin? Configuring Microsoft Entra ID properly, enforcing MFA, and managing user lifecycle (provisioning and deprovisioning) is your responsibility.
- Data classification: What data do your users store in SharePoint? Is sensitive data labeled correctly? Are retention policies configured?
- Client device security: The device your employee uses to access Microsoft 365 is yours to secure. A compromised endpoint can access SaaS services regardless of how well Microsoft has secured their servers.
Identity is always a shared responsibility regardless of service model. Microsoft Entra ID handles authentication infrastructure. You handle user provisioning, MFA enforcement, conditional access policies, and privileged access management. No service model eliminates your identity management responsibilities.
What Is Always Your Responsibility
Regardless of whether you use IaaS, PaaS, or SaaS, three categories are always the customer’s responsibility:
Your data and content. Microsoft manages the infrastructure your data sits on, but the data itself — its classification, access controls, retention, and protection — is yours. Microsoft will not tell you that you are storing sensitive data incorrectly.
Your users and identities. Who has accounts? Who has elevated privileges? Are those privileges still needed? Is MFA enabled for all administrative accounts? Microsoft provides the tools; your team manages the configuration.
Client devices. Any device used to access Azure resources — laptops, phones, tablets — is outside the scope of what Microsoft secures. A stolen unencrypted laptop with a browser session open to the Azure portal is a significant security risk regardless of how secure Azure’s servers are.
These three areas are why zero-trust security principles — verify every request, assume breach, use least-privilege access — matter even when running entirely on Azure. See Azure Identity Basics for where identity security starts.
Common Shared Responsibility Mistakes
- Assuming PaaS means zero security work. PaaS eliminates OS patching and infrastructure management. It does not eliminate application security, access control, or data protection. Teams moving from IaaS to PaaS sometimes relax security practices thinking “Microsoft handles it now” — but application-layer security was always their responsibility.
- Not patching VM operating systems. Azure VM customers who do not have an OS patching process regularly get compromised through known vulnerabilities in unpatched Windows Server or Linux installations. Azure Update Manager is free and can automate this — there is no excuse for leaving VMs unpatched.
- Leaving Network Security Groups overly permissive. Default NSG configurations often allow more inbound traffic than necessary. An NSG that allows port 22 (SSH) or 3389 (RDP) from 0.0.0.0/0 (the entire internet) is an extremely common finding in Azure security reviews. Lock inbound rules to known IP ranges or require a VPN.
- Not configuring MFA for Entra ID accounts. Identity is a shared responsibility, but enabling multi-factor authentication is entirely the customer’s job. Accounts without MFA are significantly more vulnerable to credential attacks. Microsoft recommends MFA for all accounts; require it for all accounts with Azure access.
- Relying on Azure’s storage redundancy as a backup strategy. Azure Storage replication (LRS, GRS) protects against hardware failures and datacenter outages. It does not protect against accidental deletion or data corruption — those events are replicated too. Configure application-level backups separately from storage redundancy.
Summary
- The shared responsibility model defines what Microsoft secures versus what you secure in Azure.
- Microsoft always owns: physical datacenter, hardware, host OS, and hypervisor.
- With IaaS (Azure VMs): you own the guest OS, patching, network controls, and application security.
- With PaaS (App Service, Azure SQL): Microsoft takes the OS and runtime; you own your application code, access controls, and data protection.
- With SaaS (Microsoft 365): Microsoft handles everything except your users, data classification, and client devices.
- Identity, client device security, and data protection are always the customer’s responsibility regardless of service model.
Frequently asked questions
If my Azure VM gets breached, is that Microsoft's fault?
It depends on the layer where the breach occurred. Microsoft is responsible for the physical host hardware and the hypervisor. If the breach came from an unpatched operating system inside the VM, that is your responsibility — you own OS patching on IaaS VMs. If it came from an application vulnerability in your code, that is also your responsibility. Azure securing the physical infrastructure does not protect against vulnerabilities you introduce at higher layers.
Does moving to PaaS reduce my security responsibility?
Yes, significantly. With PaaS services like Azure App Service or Azure SQL, Microsoft handles OS patching, network hardening, and infrastructure security. You focus on your application code, access control (who can reach the service), and the data inside it. The total attack surface you manage is smaller with PaaS than with IaaS.
Does Microsoft guarantee my data is backed up?
Not automatically on all services. Azure maintains the storage infrastructure and replicates data based on the redundancy option you chose (LRS, ZRS, GRS). But whether your data has application-level backups — whether you can recover from accidental deletion or corruption — is typically your responsibility. Some services like Azure SQL Database offer point-in-time restore; others require you to configure backup explicitly. Always confirm the backup and recovery capabilities of any service before relying on it.