Logical Architecture

Logical Architecture Planning for Microsoft Environments

Logical architecture is the design layer that illustrates the organization, structure, and governance of a Microsoft enterprise environment. This design is distinct from the physical hardware or cloud infrastructure utilized.

• It defines the relationships between different components.
• It establishes governance policies for data management.
• It ensures compliance with industry standards.

• SharePoint site collection structure
• Azure subscription hierarchy
• Microsoft 365 tenant configuration
• Data flow design

EPC Group has 29 years of experience in enterprise Microsoft architecture.

Key facts

• Logical architecture defines structure and governance. Physical architecture defines hardware and infrastructure. Both are needed, but logical design comes first.
• Microsoft architecture decisions made in 2005–2010 (Active Directory schema, SharePoint farm topology) still affect Copilot grounding quality and Entra ID policy design in 2026.
• A logical architecture design document costs orders of magnitude less to change than a production environment restructuring.
• EPC Group has designed logical architectures for SharePoint estates, Azure environments, Microsoft 365 tenants, and Dynamics 365 deployments across Fortune 500 and regulated-industry clients.

What logical architecture covers in Microsoft environments

Logical architecture defines four domains in a typical Microsoft deployment.

• SharePoint information architecture — site collection hierarchy, hub-spoke topology, navigation structure, content type taxonomy, and permissions model. Modern SharePoint in 2026 follows a hub-spoke pattern: 1 root hub per business unit, 5–15 spoke sites per hub.
• Azure subscription hierarchy — management group structure, subscription layout by environment (Prod, Dev, Test) and business unit, resource group naming conventions, and landing zone design.
• Microsoft 365 tenant configuration — identity model (cloud-only vs hybrid), licensing structure, group management (Azure AD groups vs Microsoft 365 groups), and tenant-wide policy governance.
• Data architecture — how data flows between systems, where data resides (OneLake, Azure SQL, SharePoint, Dataverse), and how data classification and sensitivity labels apply across the environment.

Why logical architecture decisions have long-term consequences

Microsoft platform decisions layer on top of each other over time. Early architecture choices constrain future options.

• Active Directory schema decisions from 2005 affect how Entra ID Conditional Access policies can be structured in 2026.
• SharePoint 2003 information architecture decisions (flat site collection structure, legacy permissions) affect how well Microsoft Copilot can ground responses in 2026.
• Azure subscription structures designed for a single region become expensive to reorganize when multi-region expansion requires policy management at scale.
• A logical architecture that was right for 5,000 users often needs redesign at 50,000 users — but redesigning after the fact is 10–50 times more expensive than designing correctly upfront.

SharePoint logical architecture: key design decisions

SharePoint logical architecture has five critical design decisions.

1. Hub-spoke vs flat topology — hub-spoke (one hub per business unit, spoke sites for teams and projects) is the current Microsoft recommendation. Flat architectures with hundreds of independent site collections create navigation and Copilot grounding challenges.
2. Site collection vs subsite — modern SharePoint discourages subsites. Use site collections with hub association instead. Each site collection has its own permissions boundary.
3. Managed metadata taxonomy — define enterprise content types and term sets before users start creating sites. Retrofitting taxonomy to an existing content environment is expensive.
4. Permissions inheritance model — decide at design time whether site permissions inherit from the hub or are site-unique. Broken inheritance creates Copilot oversharing risk.
5. Home site designation — define which site is the organization home site. This determines the top-level entry point in the SharePoint app bar and Viva Connections.

Azure logical architecture: key design decisions

Azure logical architecture starts with the management group hierarchy.

• Management groups — organize subscriptions into management groups (by environment, business unit, or compliance boundary). Azure Policy inherits down through the management group hierarchy.
• Subscription design — one subscription per major environment (Production, Non-Production) per business unit is a common pattern. Separating subscriptions by environment isolates blast radius for policy changes.
• Landing zones — the Azure Cloud Adoption Framework landing zone provides a pre-validated subscription configuration including hub-spoke networking, Azure Monitor, Microsoft Sentinel, and Azure Policy. Deploying a landing zone in Bicep or Terraform takes 4–7 days vs 6–12 weeks of manual configuration.
• Network topology — hub-spoke virtual network design with private endpoints for PaaS services. Connectivity hub provides shared egress, DNS, and firewall for all spoke workload subscriptions.

Microsoft 365 tenant logical architecture

• Identity model — cloud-only identity (Azure AD only) vs hybrid identity (on-premises AD synced to Azure AD via Entra ID Connect). Hybrid is required if users need on-premises resource access. Cloud-only is simpler for new organizations.
• Licensing strategy — map Microsoft 365 license tiers (E3/E5, Business Premium, F1/F3) to user roles. Over-licensing waste is common. Under-licensing creates compliance gaps.
• Group governance — decide the group creation policy. Unrestricted group creation leads to hundreds of orphaned Microsoft 365 Groups. Apply a naming policy, expiration policy, and group creation restriction to owner-approved creation only.
• Conditional Access policy structure — design Conditional Access as a set of layered named policies (baseline, compliant device, privileged access) rather than one monolithic policy. Layered policies are easier to modify without breaking access for specific user populations.

Frequently asked questions

What is the difference between logical and physical architecture?

Logical architecture defines structure, organization, and governance — how systems are organized and how they relate to each other.

Physical architecture defines the hardware, servers, and infrastructure that runs the logical design. In cloud environments, physical architecture is largely managed by Microsoft. Logical architecture is always your responsibility.

How long does a logical architecture design take?

Designing a SharePoint information architecture for a mid-size organization, with 5,000 to 20,000 users, usually takes 3 to 6 weeks. An Azure landing zone design typically requires 2 to 4 weeks. A full review and design of a Microsoft 365 tenant architecture takes around 4 to 8 weeks.

For complex enterprises that have multiple legal entities, regions, and compliance frameworks, the process can take 10 to 20 weeks.

What deliverables does an EPC Group logical architecture engagement produce?

Standard deliverables include the following items:

• A logical architecture diagram (Visio or Lucidchart)
• A SharePoint information architecture spreadsheet (site, hub, permissions, sensitivity label mapping)
• An Azure subscription design document
• A Microsoft 365 configuration baseline
• A governance decision log with rationale for each key design choice

Can we change our SharePoint logical architecture after deployment?

Yes, but it is expensive. Moving site collections between hubs, consolidating a flat architecture into hub-spoke, or changing permission inheritance requires a migration project.

EPC Group has completed SharePoint IA restructuring projects for organizations that outgrew their original architecture. Prevention — good design upfront — is always cheaper.

Do we need a logical architecture if we are already on Microsoft 365?

Deploying Microsoft Copilot is crucial for effective content retrieval. Copilot accesses content based on current SharePoint permissions and the information structure.

If the information architecture (IA) is weak, Copilot might provide irrelevant or sensitive content. This can lead to significant issues for users and organizations.

Many organizations find that their existing architecture needs redesigning before it is safe to deploy Copilot. Consider the following:

• Assess current SharePoint permissions.
• Evaluate the existing information structure.
• Redesign the architecture if necessary.

Start your architecture design engagement

EPC Group designs logical architectures for SharePoint, Azure, Microsoft 365, and Dynamics 365 environments. Call (888) 381-9725 or request a 30-minute discovery call.