The Three Cloud Service Types
Cloud services are categorized into three models based on how much of the stack the provider manages versus how much the customer manages. The spectrum runs from maximum customer control (IaaS) to minimum customer effort (SaaS).
| IaaS | PaaS | SaaS | |
|---|---|---|---|
| Physical infrastructure | Provider | Provider | Provider |
| Physical security | Provider | Provider | Provider |
| Network connectivity | Provider | Provider | Provider |
| Operating system | Customer | Provider | Provider |
| Middleware / runtime | Customer | Provider | Provider |
| Development tools | Customer | Provider | Provider |
| Applications | Customer | Customer | Provider |
| Data | Customer | Customer | Customer |
| Identity & access | Customer | Shared | Shared |
Infrastructure as a Service (IaaS)
IaaS (Infrastructure as a Service)The most flexible cloud service category where the provider manages physical hardware, network connectivity, and physical security — and the customer controls everything else including the OS, networking config, databases, and applications. is best thought of as renting the hardware: the datacenter, servers, and network are there, but you decide what to run on them.
Common IaaS use cases:
| Scenario | Why IaaS fits |
|---|---|
| Lift-and-shift migration | Replicate your on-premises configuration in the cloud without re-architecting |
| Dev/test environments | Spin up and tear down identical environments rapidly with full control |
| Custom OS configurations | When you need a specific OS version or non-standard configuration |
| High-performance computing | Direct control over compute resources without platform constraints |
Azure IaaS examples: Azure Virtual Machines, Azure Virtual Network, Azure Disk Storage.
Platform as a Service (PaaS)
PaaS (Platform as a Service)The middle-ground cloud service model where the provider manages physical infrastructure AND the operating system, middleware, development tools, and analytics services, while the customer focuses on building and deploying applications and data. is best thought of as renting a managed development environment: the scaffolding is maintained for you, so developers write code rather than configure servers.
Common PaaS use cases:
| Scenario | Why PaaS fits |
|---|---|
| Application development | Developers focus on code; no OS patching or server management |
| Analytics and business intelligence | Managed analytics platforms process data without infrastructure overhead |
| API backends | Managed runtimes handle scaling and availability automatically |
| Database as a service | Managed databases handle patching and backups |
Azure PaaS examples: Azure App Service, Azure SQL Database, Azure Functions, Azure Kubernetes Service (managed control plane), Azure Cognitive Services.
Software as a Service (SaaS)
SaaS (Software as a Service)The most complete cloud service model where the customer uses a fully developed, hosted application and the provider manages everything — infrastructure, platform, and the application itself. is best thought of as renting a finished product: you configure it and put your data in it, but you do not build or maintain it.
Common SaaS use cases:
| Scenario | Why SaaS fits |
|---|---|
| Email and calendaring | No infrastructure required; provider handles uptime |
| Collaboration tools | Teams, Slack, SharePoint Online — ready to use |
| Productivity suites | Microsoft 365 apps — always up-to-date, no deployment needed |
| CRM systems | Salesforce, Dynamics 365 — subscribe and configure |
SaaS is the least flexible model but requires the least technical knowledge and gets teams productive the fastest.
Choosing the Right Service Type
| Question to ask | Points to IaaS | Points to PaaS | Points to SaaS |
|---|---|---|---|
| Who controls the OS? | Customer needs control | Provider can manage it | N/A |
| Is this an existing app being migrated? | Lift-and-shift → IaaS | Re-platform → PaaS | Replace with SaaS |
| Is this for developers building new apps? | Custom OS needs | Standard dev environment | Ready-made tool |
| Does the team want zero infrastructure work? | No | Partial yes | Yes |
| Is the solution a finished product (email, CRM)? | No | No | Yes |
Responsibility Distribution Across All Models
| Layer | On-Premises | IaaS | PaaS | SaaS |
|---|---|---|---|---|
| Physical datacenter | Customer | Provider | Provider | Provider |
| Physical hosts | Customer | Provider | Provider | Provider |
| Operating system | Customer | Customer | Provider | Provider |
| Middleware / runtime | Customer | Customer | Provider | Provider |
| Applications | Customer | Customer | Customer | Provider |
| Identity & access | Customer | Customer | Shared | Shared |
| Data | Customer | Customer | Customer | Customer |
The golden rule: As you move from IaaS → PaaS → SaaS, responsibility shifts left (toward the provider). Data and identity remain with the customer in every model.
Service Type Decision Matrix
| Scenario | Correct Answer | Why |
|---|---|---|
| Migrate a Windows Server app to Azure as-is | IaaS | Needs OS control; lift-and-shift |
| Build a new web API without managing servers | PaaS | App Service handles runtime |
| Give all employees email with no infrastructure | SaaS | Exchange Online / Microsoft 365 |
| Host a SQL database without patching | PaaS | Azure SQL Database |
| Run a legacy app requiring a custom OS kernel | IaaS | Full OS control needed |
| Provide CRM to the sales team instantly | SaaS | Dynamics 365 / Salesforce |
Azure Services Mapped to Service Types
| Azure Service | Service Type | Key Reason |
|---|---|---|
| Azure Virtual Machines | IaaS | Customer manages OS and above |
| Azure Virtual Network | IaaS | Customer configures networking |
| Azure App Service | PaaS | Provider manages runtime and OS |
| Azure SQL Database | PaaS | Provider manages patching and backups |
| Azure Functions (Consumption plan) | PaaS/Serverless | No VM to manage |
| Azure Kubernetes Service | PaaS | Managed control plane; customer manages workloads |
| Microsoft 365 (Exchange, Teams, SharePoint) | SaaS | Fully managed applications |
| Dynamics 365 | SaaS | Fully managed CRM/ERP |
Explore Service Types in the Azure Portal
Step 1 — IaaS: Create a Virtual Machine (awareness)
- Sign in to portal.azure.com.
- Navigate to Virtual Machines → + Create → Azure virtual machine.
- Observe the configuration options: OS image, VM size, disks, networking — all customer-controlled. This is IaaS.
- Cancel without creating (to avoid charges).
Step 2 — PaaS: Explore App Service
- Navigate to App Services → + Create → Web App.
- Observe: you choose a runtime stack (Node.js, Python, .NET) but do NOT configure an OS — the provider manages it.
- Note the App Service Plan — this is the managed hosting environment (PaaS compute).
- Cancel without creating.
Step 3 — SaaS: Explore Microsoft 365 Admin Center
- Navigate to admin.microsoft.com (requires Microsoft 365 tenant).
- Browse Users → Active users — you manage users and licenses, but the applications (Exchange, Teams) are fully provider-managed.
- Notice there are no server settings, OS configurations, or patching options — this is SaaS.
Step 4 — Azure Marketplace: Service Type Comparison
- In the Azure portal, search Marketplace.
- Browse categories: filter for "Virtual Machines" (IaaS), "Web" (PaaS), and "SaaS" (SaaS tab).
- Observe how offerings in each category differ in what the customer configures.
AZ-900 Exam Focus
Exam Trap
"Azure Functions is always IaaS because it uses compute" — False. Azure Functions in the Consumption or Premium plan is PaaS/Serverless. You don't manage the underlying OS or VM — the platform handles it. Only deploying to dedicated VMs moves you toward IaaS.
Exam Trap
"Lift-and-shift means PaaS" — False. Lift-and-shift specifically means moving an existing workload to the cloud with minimal changes. This is an IaaS scenario — you replicate your on-premises setup. PaaS involves re-platforming (modifying the app to use managed services).
Exam Trap
"SaaS is the best option for all scenarios" — SaaS is the easiest to start but it is the least flexible. For workloads requiring custom OS configurations or full application control, IaaS is more appropriate. The exam tests fit, not preference.
Exam Trap
"PaaS means no security responsibility" — Identity, access, and data remain customer responsibilities in PaaS. The provider handles OS and middleware; you manage who accesses your app and what data you store.
Exam Tip
Lift-and-shift = IaaS. Re-platform = PaaS. Replace = SaaS. These three migration strategies map directly to service types. Memorizing this mapping handles a category of AZ-900 questions cleanly.
Must Memorize
Customer always manages (all models): Data · Identity and access
IaaS customer also manages: OS · Middleware · Applications
PaaS customer also manages: Applications (and data, identity)
SaaS customer manages: Data · Identity · Device access only
Question — click to flip
Q: What is the main difference between IaaS and PaaS?
Question — click to flip
Q: Which service type is best for a lift-and-shift migration?
Question — click to flip
Q: Which service type requires the least technical knowledge to get started?
Question — click to flip
Q: In which cloud service model is the customer responsible for operating system maintenance?
Question — click to flip
Q: Is Microsoft 365 IaaS, PaaS, or SaaS? Why?
Question — click to flip
Q: What are the three customer responsibilities that persist across ALL cloud service models?