Why is infrastructure shared responsibility on SaaS? (Az-900)

Hi @Hisss

When you hear “SaaS,” you tend to think “Microsoft takes care of everything.” In reality, what’s shown as “infrastructure” in that Learn module isn’t the whole datacenter stack (servers, storage, networking fabric, virtualization—that’s all Microsoft’s job) but rather the integration and connectivity bits that you still control:

• You manage your identity infrastructure (your Azure AD tenant, user and group provisioning, conditional-access policies, MFA, custom claims rules, SSO connections, etc.) • You configure how your devices and networks reach the service (firewalls, proxy settings, private endpoints, VPNs or ExpressRoute, endpoint security on client devices) • You configure the SaaS app’s service-level network settings and often some in-app infrastructure pieces (like custom connectors or integration runtimes if you’re gluing SaaS into your wider estate)

Microsoft secures and operates the underlying physical hosts, hypervisor, operating system, platform middleware and the SaaS application itself—but you still have to secure your side of the fence: your identity plumbing, network connectivity, endpoint protection and the SaaS-service configurations that tie into them. That’s why in the AZ-900 training module identity & infrastructure sit in the “shared” zone for SaaS.

Hope that helps clarify why “infrastructure” shows up as shared in that graphic!

References

1. Azure fundamentals learning module: Describe the shared responsibility model https://dotnet.territoriali.olinfo.it/training/modules/describe-cloud-compute/4-describe-shared-responsibility-model
2. Azure Security – shared responsibility overview https://dotnet.territoriali.olinfo.it/azure/security/fundamentals/shared-responsibility?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#division-of-responsibility