An 11-Location DSO, Five M365 Tenants, and the 4-Quarter Program That Brought It to One Defensible Posture

Most DSO security programs do not fail because somebody made a bad decision. They fail because nobody made any decision at all — acquisitions stack up faster than the security program can absorb them, and one day the CFO realizes the group is running on five identity stacks and three IT firms with no single pane to look at any of it. This is the story of one of those groups, and the four quarters it took to bring it back to one defensible posture.

Situation

An 11-location dental service organization in the Southeast, formed through 6 acquisitions over 4 years. Practice mix: 8 general dentistry, 2 orthodontics, and 1 oral surgery surgical center. Roughly 140 chairside staff plus 35 doctors and hygienists. Each acquired practice had retained its IT firm, its practice-management system, and — critically — its Microsoft 365 tenant. The DSO had grown faster than its security program.

The CFO triggered the engagement after the second near-miss in 18 months: a phishing-driven session theft at one location that exposed how little visibility the central team had below the HQ tenant. The board wanted a defensible answer, not another spreadsheet of intentions.

Pre-engagement state (the audit)

The first 30 days were discovery. The findings were typical for DSOs growing through acquisition:

• Five separate M365 tenants still active — the parent group's original plus four acquired tenants never consolidated
• 62% endpoint coverage with any kind of EDR; the rest had only built-in Windows Defender, often with policy gaps
• 47% MFA coverage across users, concentrated at the HQ tenant — one acquired tenant had MFA disabled entirely
• Three different MSPs servicing the locations, with overlapping admin credentials and no documented separation of duty
• Four practice management systems in production across 11 locations (Dentrix on-prem, Eaglesoft on-prem, Denticon cloud)
• Two near-miss incidents in 18 months — a BEC attempt at a satellite location and a credential-stuffing burst against an acquired tenant — both reached the "attacker has valid credentials" stage before being noticed by location staff, not by tooling
• One HIPAA risk analysis on file, dated four years prior, never updated since the acquisitions

The pattern is documented at length in Multi-Location Dental & DSO Cybersecurity: The Consolidation Problem. This was the version that gets caught before it makes the news.

The 4-quarter program

Q1 — Discovery + identity consolidation start. Full inventory across all 11 locations: every endpoint, every M365 tenant, every PMS instance, every MSP admin account. Identity-consolidation plan agreed with the executive team. MFA enforced firm-wide as the first non-negotiable — including the tenant that had it disabled.

Q2 — Endpoint + identity coverage to 100%. Huntress Managed EDR deployed to every endpoint and PMS server. Huntress Managed ITDR connected to every M365 tenant — all five, in parallel — so the SOC had identity visibility even into tenants slated for retirement. Four of the five tenants migrated into the HQ tenant by end of Q2; the fifth retained for a satellite operating under a separately-licensed brand.

Q3 — Process + training. Managed Security Awareness Training rolled out across all 140 staff. Quarterly phishing simulations tuned to dental-specific themes: insurance verification scams, lab payment redirects, ADA-membership lookalikes. A documented incident response runbook published, with named contacts for each location.

Q4 — Compliance + evidence packaging. HIPAA risk analyses completed for each covered-entity location. A group-level WISP authored. Cyber insurance renewal proceeded with the consolidated program documentation in the carrier's file — premium reduction of roughly 22% from the prior cycle, with the underwriter citing the consolidated detection coverage. The year closed with a tabletop run with the executive team.

Outcome

• Endpoint coverage: 62% → 100%
• MFA coverage: 47% → 100%
• Active M365 tenants: 5 → 2 (one retained intentionally for the differently-branded satellite)
• Documented active MSP admin accounts: 17 → 6, with clear separation of duty
• HIPAA risk analyses on file: 1 (stale) → 11 (current)
• Documented incidents during the program year: 0
• Cyber-insurance premium: −22% on renewal
• Mean alert-to-acknowledged time: from "we wait until someone notices" to 6 minutes by end of Q4

Controls that mattered

1. Identity-first sequencing. Getting MFA + ITDR coverage to 100% in Q1–Q2 paid off when low-grade credential-stuffing attempts in Q3 were caught and neutralized before any human at the locations saw them.
2. Single Huntress tenant view. The SOC and the Obsidian Ridge practitioner saw all 11 locations in one pane, not 11 fragmented dashboards. That single view cut alert-to-acknowledged from hours to minutes.
3. One separate tenant retained intentionally. The branded-satellite location had legitimate business reasons to stay separate. The program documented and accepted the residual risk rather than forcing a consolidation that did not make sense.
4. Quarterly executive briefings. The CFO and COO knew at every quarter boundary what had changed, what had not, and what was next. No surprise budget asks.
5. A documented program, not a heroic effort. The four-quarter sequence was visible to leadership from Q1 — predictable cadence, predictable costs, no scope creep.

What we did NOT do

• We did not force consolidation of the four practice-management systems. The cost-benefit did not yet justify a multi-million-dollar migration; the group will revisit when it crosses 15 locations.
• We did not replace the IT firms. Each location kept its existing IT relationship; we sat alongside the IT function, not on top of it — the posture that made the program politically survivable inside the acquired practices.
• We did not deploy Managed SIEM at every location. SIEM (Complete tier) was deployed at HQ for centralized log retention; site-by-site SIEM was deferred until the compliance footprint justifies it.

Disclosure

This case study is an anonymized composite drawn from M&A cyber-diligence and DSO consolidation engagements. Specific location counts, percentages, premium movement, and timing have been adjusted to protect the group's identity. The architecture pattern — multiple M365 tenants accumulated through acquisition, a mixed PMS estate, fragmented MSP relationships — is common in the DSO market and is documented in ADA Practice Transitions reports, the 2024–2025 Coveware quarterlies, and HHS OCR multi-facility breach disclosures. No single client is identifiable from this narrative.

---

If you run or advise a multi-location dental group and want to know what a four-quarter consolidation program looks like on the ground, start at the dental industry page or the enterprise page, and read The Briefing for the weekly write-up of patterns that show up in DSO audits before they reach your board packet.