Opening a second location feels like adding a new line to the kitchen. The menu stays the same, the timing changes, and the communication has to stay tight. Your microsoft 365 tenant setup should work the same way: one clear system, consistent branding, and just enough separation so each store can run fast.
I see restaurant groups stumble in the same spots, domain choices that confuse staff, shared inboxes nobody owns, and security settings that get skipped because “we’ll fix it after opening.” This post is how I set up location two so it works on day one, and stays manageable when location three shows up.
Decide the tenant model, keep one brand, reduce chaos
For most groups with two restaurants under the same ownership, I keep one Microsoft 365 tenant and add location structure inside it. You get one identity system (Microsoft Entra ID), one compliance boundary, and simpler Cloud Management. It also helps with staff that float between stores.
I only recommend a second tenant when you truly need separation, different legal entities, different ownership, or strict data walls. Otherwise, a single-tenant design is the cleanest IT Strategy for SMBs.
My go-to naming pattern for multi-location restaurants
- Primary domain (brand):
brand.com - Location domain (optional, for separation):
brandnorth.com - User principal name (UPN) format (what users sign in with):
first.last@brand.com - Email format options:
- Default email:
first.last@brand.com - Location-specific alias:
first.last@brandnorth.com - Role mailboxes:
northmanagers@brand.com,catering@brandnorth.com
- Default email:
This keeps branding consistent, but lets you split mail flow when it matters (catering, hiring, vendor support, local press).
Best practice: Keep sign-in UPNs consistent across all locations. Changing UPNs later is annoying, and it breaks muscle memory.
Step-by-step: the 2025 Microsoft 365 tenant setup for location two
If you want Microsoft’s baseline flow to compare against, I like the MS-102 training path because it mirrors real admin center tasks without fluff: Configure your Microsoft 365 tenant.
Here’s the exact order I use.
1) Inventory what location one already uses
Before I touch DNS, I document:
- Current domains, mailboxes, shared mailboxes, and distribution groups
- Any line-of-business apps tied to email (POS alerts, reservations, payroll)
- Existing admin accounts and who actually uses them
This is basic Small Business IT, but it prevents the “why did online orders stop emailing” surprise.
2) Add the second domain (example: brandnorth.com)
In Microsoft 365 admin center:
- Settings
- Domains
- Add domain
- Verify ownership (usually a TXT record)
If you plan on sending email as @brandnorth.com, you also add it as an accepted domain in Exchange Online (it typically follows once the domain is added, but I still verify in the Exchange admin center).
3) Publish DNS records for Exchange Online and authentication
Below is a practical DNS table for brandnorth.com. Use the exact values Microsoft provides for your tenant, but these record types and hostnames are the pattern you should expect.
| Purpose | Type | Host/Name | Value/Target | Notes |
|---|---|---|---|---|
| Domain verification | TXT | @ | (Microsoft-provided verification string) | Remove only if you’re sure you won’t re-verify later |
| Mail routing | MX | @ | <tenant>.mail.protection.outlook.com | Set as highest priority (lowest number) |
| SPF | TXT | @ | v=spf1 include:spf.protection.outlook.com -all | Add other senders only if you truly use them |
| Autodiscover | CNAME | autodiscover | autodiscover.outlook.com | Helps Outlook find the mailbox |
| DKIM selector 1 | CNAME | selector1._domainkey | (Microsoft-provided DKIM target) | Enable DKIM after the record resolves |
| DKIM selector 2 | CNAME | selector2._domainkey | (Microsoft-provided DKIM target) | Required for DKIM rotation |
| DMARC | TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@brandnorth.com | Start with p=none, then move to quarantine/reject |
For DKIM details, I follow Microsoft’s current guidance here: How to use DKIM for email in your custom domain. For a simple SPF, DKIM, and DMARC overview that’s easy to share with a non-technical owner, I also point people to: How to set up SPF, DKIM, and DMARC for Microsoft 365.
Best practice: Don’t publish a “too-long SPF.” If you add DoorDash, Toast, a marketing tool, and a payroll sender, validate the final DNS lookup count.
4) Create location-based groups (before users)
In Microsoft Entra ID, I create groups like:
BRAND-North-StaffBRAND-North-ManagersBRAND-North-SharedMailbox-Access
Groups become your control layer for Tailored Technology Services later (Teams access, SharePoint permissions, Conditional Access scoping).
5) Create users with consistent identity and clean email addresses
For each new hire or transfer, I assign:
- UPN:
first.last@brand.com - Primary SMTP: usually
first.last@brand.com - Alias (if needed):
first.last@brandnorth.com
When I’m doing an Office 365 Migration from Gmail or another system for the new store’s leadership team, I migrate only what they need (mail, calendar, contacts), then lock down forwarding. Restaurants don’t have time for messy mail routing.
Shared mailboxes that match restaurant operations (not org charts)
Restaurants run on role inboxes. If the inbox name matches how people talk, it gets used.
My standard shared mailbox set for location two:
northmanagers@brand.com(shift notes, incident reports)northcatering@brandnorth.com(local marketing and orders)northitvendor@brand.com(Restaurant POS Support tickets, kitchen printer issues)northhiring@brandnorth.com(apps and interview scheduling)
I build them in the Exchange admin center, then assign members and Send As rights. Microsoft’s step-by-step is accurate here: Create shared mailboxes in the Exchange admin center.
Two rules I stick to:
- Shared mailbox owners are managers, not “everyone.”
- If a shared mailbox needs a sign-in (rare), it becomes a licensed user mailbox, not a shared mailbox.
This approach supports Kitchen Technology Solutions and vendor comms without giving vendors broad access to your environment.
License choices for restaurants (what I actually see work)
Licensing is where budget meets risk. In 2025, Microsoft’s business plans still fit most restaurant groups under 300 staff, but monthly billing costs changed earlier in 2025, so I price out annual terms when possible.
Here’s how I frame it for owners and MSPs.
| Plan | Best fit in a restaurant | Why I pick it |
|---|---|---|
| Microsoft 365 Business Basic | Hourly staff who only need web/mobile apps | Lowest cost for email, Teams, and web Office |
| Microsoft 365 Business Standard | Managers who need desktop Office apps | Desktop apps plus hosted email |
| Microsoft 365 Business Premium | Managers and anyone handling sensitive data | Adds Intune and stronger security controls |
| Exchange Online (Plan 1) | Shared terminals that only need email (limited cases) | Email only, useful for special workflows |
When I’m acting as a Business Technology Partner, I usually land on Business Premium for leadership because it supports Endpoint Security, Device Hardening, and stronger Cybersecurity Services without bolt-on tools.
Security-first defaults that won’t slow down service
Restaurants are busy, and attackers know it. Your goal is Business Continuity & Security, not “perfect security.”
Key 2025 reality: new Entra ID tenants created after late July 2025 have Security Defaults enabled by default, which blocks legacy authentication and forces MFA registration at first sign-in. For existing tenants, I either confirm Security Defaults are on, or I replace them with Conditional Access (if licensing supports it).
My baseline controls for a second location:
- Block legacy authentication (it’s still a top cause of mailbox takeovers).
- Require MFA for all users, and tighter rules for admins.
- Use least privilege admin roles (no daily-use Global Admin).
- Create two emergency “break-glass” accounts, excluded from Conditional Access, stored securely.
- Turn on device compliance for manager laptops and tablets (Intune policies), this is where Secure Cloud Architecture meets real-life operations.
- Separate POS and kitchen devices from office devices at the network layer when possible. This is part of Cloud Infrastructure planning and Infrastructure Optimization, even if the POS is vendor-managed.
For Entra guidance, I align to Microsoft’s security recommendations: Best practices to secure with Microsoft Entra ID. It maps well to Managed IT for Small Business workflows.
Final validation before you announce the new inboxes
I don’t consider location two “ready” until these pass:
- Mail flow test: external Gmail to
@brandnorth.com, reply back out, confirm no NDRs. - SPF/DKIM/DMARC check: confirm DKIM is enabled for the domain, confirm DMARC record resolves.
- Shared mailbox Send As: send from
northmanagers@brand.comas at least two users, verify Sent Items behavior matches your policy. - MFA and device access: new user can enroll and sign in, manager device shows compliant.
- Admin roles: confirm local managers aren’t over-privileged, and auditing is on.
Conclusion
A second restaurant location adds pressure everywhere, and email and identity problems show up at the worst times. When I set up Microsoft 365 the right way, consistent domains, clean users, shared mailboxes that match workflows, and security defaults that block the obvious attacks, the tech fades into the background and the store can focus on service.
If you want location two to open without IT drama, treat your microsoft 365 tenant setup as part of the build-out, not an afterthought. That’s how Technology Consulting turns into real Digital Transformation for restaurants, one solid system at a time.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.