Shared Responsibility Model in SC-900: Who Is Responsible for What in the Cloud?

by

Shared Responsibility Model in SC-900

One of the most misunderstood concepts in cloud security is who is actually responsible for protecting what.

Many organisations assume that once they move workloads to the cloud, security becomes the cloud provider’s job. Others assume the opposite — that everything still belongs to the customer. Both assumptions are wrong.

This is why the Shared Responsibility Model is a core concept in SC-900 (Microsoft Security, Compliance, and Identity Fundamentals).

SC-900 does not test technical configuration here.
It tests whether you understand how responsibility is divided between Microsoft and the customer, and why this division matters for security, compliance, and risk management.

Shared Responsibility Model in SC-900

Why SC-900 Emphasises the Shared Responsibility Model

In cloud environments, security failures often happen not because tools are missing, but because responsibilities are misunderstood.

Common real-world issues include:

  • MFA not enabled because “cloud security is Microsoft’s job”
  • Data exposed because retention or access controls were never configured
  • Compliance failures due to unclear ownership

SC-900 introduces the Shared Responsibility Model to set the correct security mindset early.

What Is the Shared Responsibility Model?

The Shared Responsibility Model defines how security responsibilities are shared between the cloud provider and the customer.

In Microsoft cloud services:

  • Microsoft is responsible for security of the cloud
  • Customers are responsible for security in the cloud

This distinction is critical.

Microsoft builds and secures the underlying cloud platform, while customers must configure and manage how their data, identities, and access are protected.

Microsoft’s Responsibilities: Security of the Cloud

Microsoft is responsible for securing the cloud infrastructure itself.

This includes:

  • Physical datacenters
  • Hardware
  • Network infrastructure
  • Core platform services
  • Availability and resilience of the cloud

From an SC-900 perspective, this means Microsoft ensures:

  • Datacenters are physically secure
  • The cloud platform is maintained and patched
  • Core services remain available and resilient

Customers do not manage these layers.

Customer Responsibilities: Security in the Cloud

Customers are responsible for how cloud services are used and configured.

This includes:

  • Identity and access management
  • Data protection
  • Device security
  • Application configuration
  • Compliance policies

Even in fully managed SaaS services, customers still control:

Explore Microsoft 365 Admin Center: A Clear Guide for New MS-102 Administrators
  • Who can access data
  • From where access is allowed
  • How sensitive data is protected

SC-900 strongly reinforces that misconfigured identity and access controls are customer responsibility, not Microsoft’s.

How Responsibility Changes Across Cloud Service Models

SC-900 introduces the idea that responsibility shifts depending on the service model.

Infrastructure as a Service (IaaS)

  • Microsoft secures physical infrastructure
  • Customer secures operating systems, applications, identity, and data

Platform as a Service (PaaS)

  • Microsoft secures the platform and runtime
  • Customer secures applications, data, and access

Software as a Service (SaaS)

  • Microsoft secures the application and platform
  • Customer secures identity, data access, and configuration

As you move from IaaS to SaaS, Microsoft takes on more platform responsibility, but identity and data protection always remain the customer’s responsibility.

Shared Responsibility and Identity Security

Identity plays a central role in the Shared Responsibility Model.

Microsoft provides the identity platform through Microsoft Entra ID, but customers must:

  • Enable MFA
  • Configure Conditional Access
  • Assign roles correctly
  • Remove excessive privileges

If an account is compromised due to weak identity controls, that failure belongs to the customer, not Microsoft.

This is why SC-900 repeatedly connects identity fundamentals with shared responsibility.

Shared Responsibility and Compliance

Compliance is another area where misunderstandings are common.

Microsoft:

  • Provides compliant platforms
  • Offers compliance tools and reports
  • Supports regulatory frameworks

Customers:

  • Decide how long data is retained
  • Control access to sensitive data
  • Apply data classification and protection
  • Respond to audits and legal requirements

SC-900 highlights that compliance is shared, but accountability ultimately lies with the customer.

Common Misconceptions Addressed by SC-900

SC-900 helps correct several dangerous assumptions:

  • “Microsoft handles all security in the cloud.”
    Microsoft secures the platform, not your access decisions.
  • “Compliance is automatic in cloud services.”
    Tools exist, but configuration and enforcement are customer responsibilities.
  • “SaaS means no security responsibility.”
    Identity, data, and access are always the customer’s job.

Understanding these points prevents costly security and compliance mistakes.

Real-World Examples of Shared Responsibility Failures

The Shared Responsibility Model explains many real-world incidents:

  • Data leaks caused by public access misconfiguration
  • Admin accounts compromised due to missing MFA
  • Compliance violations due to missing retention policies

In each case, the platform worked as designed.
The failure occurred because customer responsibilities were not fulfilled.

SC-900 prepares learners to recognise and prevent these issues.

Why the Shared Responsibility Model Matters for Zero Trust

Zero Trust assumes:

  • No implicit trust
  • Continuous verification
  • Least privilege access

The Shared Responsibility Model clarifies who must implement these controls.

How to Set Up a Microsoft 365 Trial Account: A Clear and Practical MS-102 Lab Guide

Microsoft provides the capability.
Customers must design and enforce Zero Trust policies.

Without understanding shared responsibility, Zero Trust cannot be applied correctly.

Why SC-900 Tests This Concept

SC-900 includes the Shared Responsibility Model because:

  • Cloud adoption is widespread
  • Responsibility confusion is common
  • Identity and data breaches are often customer-side failures

The exam tests whether you understand:

  • Where Microsoft’s responsibility ends
  • Where customer responsibility begins
  • How this affects security and compliance outcomes

This understanding is foundational for all cloud and security roles.

Final Thoughts: Shared Responsibility Enables Secure Cloud Adoption

Cloud security is not about shifting responsibility — it’s about sharing it correctly.

Microsoft secures the cloud platform.
Customers secure identities, access, and data.

SC-900 ensures learners understand this balance early, helping them:

  • Avoid security assumptions
  • Design safer cloud environments
  • Take ownership of identity and data protection

This mindset is essential for anyone working with Microsoft cloud services.

Also, view our detailed guide on what is SC-900 to understand Microsoft Security, Compliance, and Identity fundamentals.

For official and up-to-date exam objectives, learning paths, and reference material, refer to Microsoft Learn’s SC-900 documentation.

What’s Next in the SC-900 Series

In the next post, we’ll cover:

Defense in Depth in SC-900: How Layered Security Reduces Risk

This will build on identity, Conditional Access, and shared responsibility concepts

Leave a Comment

© 2026 TechCertGuide.Blog. All rights reserved.