Customer vs Cloud Provider – Who Owns What in Azure?
A lot of organisations move to the cloud thinking they have handed off their security headaches to Microsoft. They have not. Here is the exact breakdown of who owns what.
- Every responsibility that belongs permanently to Microsoft Azure as the cloud provider
- Every responsibility that permanently stays with the customer regardless of service used
- How to think about the boundary between provider and customer in practical terms
- Common mistakes organisations make by misunderstanding their own cloud responsibilities
What is Customer vs Cloud Provider?
When you use Microsoft Azure, you are entering into a shared arrangement. Microsoft commits to securing and maintaining certain layers of the technology. You commit to securing and managing everything on your side of the line.
Thinking of it as a contract helps. Microsoft's side of the contract includes the physical world — data centers, servers, power, cooling, hardware, and networking. Your side of the contract includes your digital world — who gets access to your systems, what data you store, how your applications are configured, and whether your users follow good security practices.
The exact boundary between these two sides is not fixed at one point — it moves depending on which Azure service you use. But some things are always Microsoft's and some things are always yours.
Why Does This Matter?
Every cloud security incident investigation eventually comes down to this question: whose side of the responsibility line did the failure happen on? Understanding this clearly is not just exam knowledge — it is the foundation of sound cloud governance, compliance, and security architecture. In most Azure-related roles, you will be expected to understand and articulate your organisation's responsibilities under this model.
The Real-World Story
Imagine a modern co-working space where multiple companies rent desks and offices. The building management company owns the building and is responsible for everything structural: the walls, the roof, the power supply, the plumbing, the lifts, the main entrance door and its security system, the CCTV in common areas, and the fire suppression systems. If the electricity fails because of a fault in the building's wiring, that is the building management's responsibility. Each tenant company is responsible for what happens inside their own rented space: their laptops, their files, their printers, their passwords, their internal processes. They decide who gets a keycard to their office. They decide who can access their servers. They decide what happens to their own customer documents. If an employee at a tenant company shares their office keycard with an unauthorised person and data is stolen, that is entirely the tenant's responsibility — not the building management's. Azure is the building management. Your organisation is the tenant. Both parties have clear, non-negotiable obligations — and neither can pass blame to the other for failing their own side.
Going Deeper
Microsoft Azure's permanent responsibilities cover the physical and foundational layers of cloud infrastructure. Azure is responsible for maintaining and securing all physical data center facilities — including access control, environmental monitoring, fire suppression, power redundancy, and physical intrusion prevention. Azure is responsible for all hardware: servers, storage arrays, networking switches, and routers. Azure is responsible for the global network backbone that connects its regions and availability zones. Azure is responsible for the hypervisor and virtualisation layer that creates isolation between customers sharing physical infrastructure. These are non-negotiable — customers have no visibility into or control over these layers, and Microsoft is fully accountable for their security and reliability.
Customer permanent responsibilities cover the human and data layers of cloud usage. You are responsible for all data you store in Azure — its classification, protection, backup strategy, and compliance with data regulations. You are responsible for all user accounts — creating them, assigning appropriate permissions, enforcing password policies, and disabling accounts when employees leave. You are responsible for access management — who can do what in your Azure environment, which service accounts exist and what permissions they carry, and whether multi-factor authentication is enforced. You are responsible for end devices — laptops, phones, and workstations that connect to your Azure resources. You are responsible for the applications your team builds and the security practices within them.
A common mistake organisations make is assuming that because they pay for a premium Azure service with advanced security features, Microsoft handles their security completely. Azure provides the tools and the infrastructure security. Using those tools correctly — configuring them, monitoring them, and responding to what they tell you — is always the customer's job. A security dashboard that nobody looks at protects nobody.
- Microsoft Azure permanently owns responsibility for physical data center security, all hardware, the global network, and the virtualisation and hypervisor layer.
- Customers permanently own responsibility for their data, user accounts, identity and access management, end-user devices, and application security.
- The boundary between provider and customer responsibility shifts for OS, middleware, and applications depending on whether you use IaaS, PaaS, or SaaS.
- Having access to advanced security tools in Azure does not mean security is handled — configuring and monitoring those tools is always the customer's responsibility.
- Understanding this split is essential for cloud governance, compliance audits, and correctly assigning accountability in any Azure security incident.
