Logical Architecture

Logical architecture is the foundational design layer that defines how an enterprise technology environment is organized, structured, and governed -- independent of the physical hardware or cloud infrastructure that hosts it. In the Microsoft ecosystem, logical architecture planning encompasses how SharePoint site collections are structured, how Azure subscriptions and resource groups are organized, how Microsoft 365 tenants are configured, and how data flows between systems. A well-designed logical architecture ensures scalability, security, compliance, and maintainability for years to come. A poorly designed one creates technical debt that costs millions to remediate.

What Is Logical Architecture?

Logical architecture describes the abstract organization of technology components -- how systems, services, data, and users are grouped, connected, and governed. It sits between business requirements (what the organization needs) and physical architecture (where things run). Key distinctions:

• Physical Architecture: Describes the hardware, servers, networks, and data centers that host the environment. In cloud environments, this translates to Azure regions, virtual networks, server SKUs, and storage accounts.
• Logical Architecture: Describes how components are organized within the physical infrastructure -- tenant boundaries, subscription hierarchies, site collection structures, security zones, data classification tiers, and integration patterns.
• Information Architecture: A subset of logical architecture focused specifically on how content, data, and metadata are organized -- taxonomy, navigation, content types, and search configuration.

Logical architecture decisions are among the most consequential in any enterprise technology implementation. Changing physical infrastructure (upgrading servers, adding storage) is relatively straightforward. Changing logical architecture (restructuring site collections, reorganizing Azure subscriptions, redefining security boundaries) is extremely expensive and disruptive.

SharePoint Logical Architecture

SharePoint logical architecture has been a core EPC Group competency since the platform's inception. Our SharePoint consulting team has designed logical architectures for organizations from 500 to 100,000+ users. Whether on-premises or SharePoint Online, the logical architecture defines:

• Site Collection Hierarchy: How site collections are organized -- by department, by function, by project, by geography, or by security boundary. Each approach has tradeoffs in governance, navigation, search, and permissions management.
• Hub Sites: In SharePoint Online, hub sites provide logical groupings of related sites without requiring a hierarchical site collection structure. Hub sites enable shared navigation, search scoping, and consistent branding across associated sites.
• Content Types and Managed Metadata: The taxonomy and content classification system that enables consistent metadata across the entire environment. Content types define document templates and metadata schemas. Managed metadata (term store) provides controlled vocabularies for tagging and classification.
• Search Architecture: How search is configured, including content sources, result sources, query rules, search verticals, and managed properties. In large environments, search architecture determines whether users can find the content they need or drown in irrelevant results.
• Security Zones: How permissions are structured across the environment. Best practice is to use Azure AD/Entra ID groups for permissions, avoid breaking inheritance excessively, and implement a permissions model that is both secure and manageable.
• Governance Boundaries: Where governance policies (retention, DLP, sensitivity labels, external sharing) are applied. Different site collections or hub sites may have different governance requirements based on the content they contain.

Azure Logical Architecture

For Azure cloud environments, logical architecture defines the organizational hierarchy that governs resource management, cost allocation, security, and compliance:

• Management Group Hierarchy: Azure management groups organize subscriptions into a hierarchical structure that mirrors your organization. Policies, RBAC (Role-Based Access Control), and budgets can be applied at the management group level and inherited by all subscriptions beneath.
• Subscription Design: Subscriptions are the primary billing and governance boundary in Azure. Common patterns include: one subscription per environment (dev, staging, production), one subscription per business unit, or one subscription per workload. The choice depends on cost allocation requirements, compliance boundaries, and administrative delegation needs.
• Resource Group Strategy: Resource groups contain Azure resources that share a common lifecycle. Design resource groups around deployment units -- resources that are created, updated, and deleted together. This simplifies management, cost tracking, and access control.
• Virtual Network Design: The network topology defines how Azure resources communicate with each other and with on-premises networks. Hub-and-spoke topology is the most common enterprise pattern, with a central hub virtual network providing shared services (DNS, firewall, VPN gateway) and spoke networks for individual workloads.
• Landing Zone Architecture: Microsoft's Cloud Adoption Framework defines "landing zones" -- pre-configured Azure environments with networking, identity, governance, and security foundations already in place. EPC Group implements landing zones aligned with the Azure Cloud Adoption Framework to accelerate enterprise Azure deployments.

Microsoft 365 Logical Architecture

The Microsoft 365 tenant is the top-level logical boundary for enterprise collaboration, and its architecture decisions ripple through every Microsoft service:

• Single vs. Multi-Tenant: Most organizations should use a single Microsoft 365 tenant. Multi-tenant configurations (common after mergers and acquisitions) create collaboration friction, licensing complexity, and governance challenges. Tenant consolidation is often a high-priority initiative post-acquisition.
• Azure AD / Entra ID Structure: The identity architecture -- how users, groups, administrative units, and roles are organized -- underpins every Microsoft 365 service. Well-designed identity architecture uses dynamic groups, administrative units for delegated administration, and conditional access policies segmented by user risk and location.
• Teams and Groups Architecture: How Microsoft 365 groups are governed (naming conventions, creation policies, expiration, guest access) determines the long-term manageability of the Teams environment.
• Data Classification and Protection: Microsoft Purview sensitivity labels, DLP policies, and retention policies form the logical architecture for data governance across the entire Microsoft 365 ecosystem.

Logical Architecture Design Process

EPC Group follows a structured process for logical architecture design:

1. Requirements Gathering: Understand business objectives, user personas, content volumes, compliance requirements, security policies, and growth projections. Architecture decisions must be driven by business needs, not technology preferences.
2. Current State Assessment: Document the existing environment -- what exists today, where data lives, how it is organized, who owns it, and what governance policies (or lack thereof) are in place.
3. Architecture Design: Create the logical architecture design documents, including hierarchy diagrams, security zone maps, data flow diagrams, governance policies, and naming conventions. Review the design with stakeholders from IT, business units, compliance, and security.
4. Validation and Testing: Validate the design against real-world scenarios -- can a user in Department X find content from Project Y? Can an auditor run a compliance report across all healthcare-related content? Can an administrator delegate management of a business unit's sites without granting tenant-wide access?
5. Implementation: Deploy the logical architecture in a staged approach, starting with the foundation (identity, security zones, governance policies) before building out specific workload areas (SharePoint sites, Azure resource groups, Teams governance).
6. Documentation and Training: Document the architecture decisions, rationale, and governance procedures. Train administrators and site owners on the architecture standards they must follow.

Why EPC Group for Logical Architecture Design

EPC Group has designed logical architectures for enterprise organizations with 10,000 to 100,000+ users across healthcare, financial services, government, manufacturing, and education. Our founder, Errin O'Connor, authored the bestselling Microsoft Press book on SharePoint enterprise architecture, which remains the definitive guide to logical architecture planning in the SharePoint ecosystem.

With over 28 years of Microsoft consulting expertise, EPC Group brings the experience needed to make architecture decisions that stand the test of time. We have seen what works at scale, what fails, and what creates technical debt that organizations regret for years. Our logical architecture designs are built for the next 5-10 years, not just the next project.

Frequently Asked Questions