Dellenny discusses the Shared Responsibility Model in Azure, illustrating how security roles are divided between Microsoft and the customer, with practical real-world examples and clear advice.

Shared Responsibility Model in Azure Explained (with Real Examples)

Author: Dellenny
Date: November 5, 2025

Introduction

Microsoft Azure is a leading cloud platform, but understanding your organization’s security and operational duties is vital for safe and compliant cloud usage. The Shared Responsibility Model clarifies how responsibilities are split between Azure and its customers across IaaS, PaaS, and SaaS offerings.

What is the Shared Responsibility Model?

The Shared Responsibility Model explains which aspects of security and operations are handled by Microsoft Azure and which are left to the customer. The division depends on the type of Azure service being used:

Infrastructure as a Service (IaaS) — Azure provides and secures the physical server, network, and hypervisor; customers manage the OS, application updates, data, and network access controls.
Platform as a Service (PaaS) — Azure manages the infrastructure, OS, and runtime; customers manage their applications and secure their data.
Software as a Service (SaaS) — Microsoft covers nearly all aspects of infrastructure and application security, while customers are responsible for identity, data governance, and client-side security.

Responsibilities by Service Model

IaaS (Infrastructure as a Service)

Customer manages: OS patching, application security, firewall and NSG configuration, disk encryption.
Example: Deploying a Windows Server VM means Microsoft secures the physical host and virtualization; you handle Windows updates, firewall configuration, and data protection.

PaaS (Platform as a Service)

Customer manages: Application code security, user authentication, data protection/encryption.
Example: Using Azure App Service, Microsoft maintains the OS and runtime. You ensure your application is secure and your users’ data is protected.

SaaS (Software as a Service)

Customer manages: Identity and access management, data classification, enabling security features like MFA.
Example: In Microsoft Teams (part of Microsoft 365), Microsoft patches and secures the environment. You control user access and data-sharing policies.

Real-World Examples

Securing VMs (IaaS):
- Patch guest OS regularly
- Configure NSGs
- Encrypt disks with Azure Disk Encryption
Protecting Azure SQL Database (PaaS):
- Azure automates backups and patching
- Company manages user access and data encryption
Data Governance in Microsoft 365 (SaaS):
- Configure access controls with Azure Active Directory
- Enable DLP policies
- Classify documents and emails

Why the Shared Responsibility Model Matters

Failing to understand the split in responsibilities can expose organizations to risks such as data breaches or compliance failures. Azure users must not assume all security is managed by Microsoft—oversight on the customer side can result in serious vulnerabilities.

Best Practices

Know Your Service Model: Clearly identify whether you’re using IaaS, PaaS, or SaaS and adjust your security focus accordingly.
Identity & Access Management: Implement least privilege, enforce Multi-Factor Authentication, and use role-based access controls (RBAC).
Encrypt Data: Protect data at rest (Azure Disk Encryption, TDE) and in transit. Manage encryption keys using Azure Key Vault.
Monitoring & Auditing: Use Azure Monitor and Security Center to track activity and compliance gaps.
Timely Patching: Regularly update OS and applications for IaaS; secure your code for PaaS.

Conclusion

The Shared Responsibility Model is fundamental for secure and efficient Azure operations. Understanding which duties belong to Azure and which fall to your team helps close security gaps, improve compliance, and reduce risk. Applying these principles ensures you get the most from cloud services while maintaining control over your environment.

This post appeared first on “Dellenny’s Blog”. Read the entire article here