Crayon PRISM Integration
Connect your Crayon PRISM account to give AI agents read-only access to CSP license management data, including programs, customer tenants, Azure usage, and billing invoices — purpose-built for APAC Microsoft CSP resellers.
Overview
The Crayon PRISM Integration provides 4 focused read-only tools that allow AI agents to query your PRISM programs, customer tenants, Azure usage, and billing invoices. Unlike the Crayon Cloud IQ integration (which targets European partners), PRISM serves APAC-region Crayon partners.
Authentication uses OAuth2 client credentials flow: you supply your PRISM Client ID and Client Secret once during setup, and the system manages token acquisition and caching automatically. Tokens are valid for 1 hour and refreshed automatically 2 minutes before expiry. Credentials are stored encrypted using AES-256-CBC.
All 4 PRISM tools are strictly read-only. Agents cannot create, update, or delete any PRISM records through this integration.
Use Cases
- License Status Lookup - Agent queries CSP tenant subscription status before responding to a customer licensing question
- Azure Cost Analysis - AICOS retrieves Azure usage data for a customer tenant to prepare cost optimization recommendations
- Billing Reconciliation - Agent looks up invoice details for a specific tenant to verify billing accuracy
- Program Discovery - Agent retrieves available programs to answer a customer question about eligible offers
- Tenant Health Check - Admin runs the smoke test after initial setup to confirm all 4 tools are reachable end-to-end
How It Works
IT Admin enters Token acquired Agents query PRISM
PRISM credentials via client_credentials using tool group
| | |
v v v
+--------------+ +-------------------+ +------------------+
| PRISM Client | | OAuth2 client | | Query programs, |
| ID and | ---> | credentials flow, | ---> | tenants, Azure |
| Client Secret| | 1-hour token, | | usage, invoices |
| | | auto-refreshed | | |
+--------------+ +-------------------+ +------------------+
Getting Started
Prerequisites
Before connecting Crayon PRISM:
- Pro Plus+ Subscription - The PRISM integration requires the
custom.prismfeature code on your subscription - Crayon PRISM Account - Your organization must be a registered Crayon PRISM partner with API access enabled
- PRISM API Credentials - Obtain your Client ID and Client Secret from your Crayon PRISM admin portal
- Admin Access - You must be an Outermind administrator to configure the integration
Step 1: Enter PRISM Credentials
- Navigate to Build > Connections > Crayon PRISM
- Enter your Client ID
- Enter your Client Secret
- Click Test Connection to validate your credentials before saving
- Click Connect Crayon PRISM to persist the connection and create tools
Credentials are encrypted at rest immediately upon saving.
Do not share your PRISM credentials with anyone. These credentials provide access to your entire Crayon PRISM partner account, including all customer tenants and billing data.
Step 2: Run the Smoke Test
After connecting, the smoke test runs automatically to verify end-to-end tool health. You can also run it manually at any time:
- With the connection active, click Run Smoke Test
- A 4-row results panel appears with one row per PRISM tool
- Each row shows: tool name, pass/fail status, response time in milliseconds, and any error message
- The overall badge shows All Healthy (green) or Issues Detected (red)
The smoke test exercises one safe read per tool:
| Check | Operation | What It Tests |
|---|---|---|
| Programs | list_programs | Program catalog is reachable |
| Tenants | list_tenants | Customer tenant list is reachable |
| Azure Pricing | get_price_list | Azure price list endpoint is reachable |
| Invoices | get_invoices | Billing invoice endpoint is reachable |
Individual check failures do not indicate a broken credential — they may reflect entitlement gaps on your PRISM account. If one check fails but the others pass, contact your Crayon account manager to verify your account is entitled to that data type.
Step 3: Assign the PRISM Tool Group to Agents
PRISM tools are bundled into a "PRISM" tool group created automatically at connection time:
- Navigate to Build > AI Agents > Agents
- Edit the agent that should have PRISM access
- Go to the Tools tab
- In the Tool Groups section, enable the PRISM group
- Save the agent
All 4 PRISM tools are assigned together as a single unit via the tool group.
Available Tools
When PRISM is connected, 4 read-only tools are created and grouped under the "PRISM" tool group.
1. PRISM Search Customers (prism_search_customers)
Query CSP programs and customer accounts in your PRISM partner account.
| Action | Description |
|---|---|
list_programs | List available CSP programs |
list_customers | List customer accounts |
get_customer | Get details for a specific customer |
2. PRISM Search Tenants (prism_search_tenants)
Query CSP tenant details and subscription status.
| Action | Description |
|---|---|
list_tenants | List customer tenants, filterable by vendorProgramType (e.g. MicrosoftCSP) |
get_tenant | Get details for a specific tenant |
3. PRISM Azure Usage (prism_azure_usage)
Query Azure price lists and usage data.
| Action | Description |
|---|---|
get_price_list | Retrieve Azure pricing (paginated, pageSize controls rows per page) |
get_usage | Retrieve Azure usage data for a tenant and billing period |
4. PRISM Search Billing (prism_search_billing)
Query billing invoices and statements.
| Action | Description |
|---|---|
get_invoices | List invoices (paginated, filterable by date range) |
get_invoice | Get details for a specific invoice |
Security & Limitations
Security
- AES-256-CBC encryption - API credentials are encrypted at rest using your tenant's encryption key
- Distributed token locking - Only one process refreshes the token at a time; prevents concurrent refresh races
- Automatic token refresh - Tokens are refreshed 2 minutes before their 1-hour expiry
- Read-only access - All API calls are GET (or POST for
get_detailed_usagewhere the PRISM API requires it); no create, update, or delete operations are possible - Tenant isolation - Credentials and tools are strictly scoped to your tenant
- Authentication error sanitization - Auth errors never echo back PRISM API credential details
- Audit logging - Every tool execution is logged with agent, action, and result
Limitations
- Read-only - Cannot create, update, or delete any PRISM records
- Single connection - Only one PRISM connection per Outermind tenant
- APAC-region data - PRISM serves APAC partners; for European partners use the Crayon Cloud IQ integration instead
Troubleshooting
Test Connection Fails
Problem: Credentials are rejected when clicking Test Connection
Solutions:
- Verify your Client ID and Client Secret are copied correctly with no leading or trailing spaces
- Confirm your PRISM account has API access enabled (contact your Crayon account manager)
- Check that the credentials have not been rotated or revoked in the PRISM admin portal
Smoke Test Shows One or More Red Checks
Problem: The smoke test passes some checks but fails others
Solutions:
- Partial failure usually means your PRISM account is not entitled to that data type — contact your Crayon account manager to verify entitlements
- If all checks fail, the connection credentials may have expired — click Update Credentials to re-enter them and retest
- Transient network errors may cause individual checks to fail — click Run Smoke Test again before escalating
Agent Returns "PRISM Connection Is Inactive"
Problem: Agent execution returns a connection status error
Solutions:
- Navigate to Build > Connections > Crayon PRISM and check the connection status badge
- Click Test Connection — if it fails, update your credentials
- After updating credentials, re-run the smoke test to confirm all 4 tools are healthy before retrying the agent
Agent Cannot Find PRISM Tools
Problem: PRISM tools do not appear when editing an agent
Solutions:
- Verify the PRISM connection is active at Build > Connections > Crayon PRISM
- Check that the "PRISM" tool group exists at Build > AI Agents > Tool Groups
- Assign the PRISM tool group (not individual tools) to the agent
- Refresh the page and try again
Best Practices
Agent Instructions
Help your agents use PRISM tools effectively:
When working with Crayon PRISM data:
1. Start with prism_search_customers to find the program or customer
before querying tenants or billing
2. Use prism_search_tenants with vendorProgramType='MicrosoftCSP' to
narrow tenant results to Microsoft CSP accounts
3. For Azure pricing, use get_price_list with a small pageSize (1-5)
to retrieve representative pricing without fetching the full catalog
4. For billing, use get_invoices with a date range to scope results
to the relevant billing period
Configuration
- Assign the PRISM tool group only to agents that handle cloud licensing or billing inquiries
- After initial setup, always run the smoke test to confirm all 4 checks pass before assigning tools to production agents
- Create a dedicated MSP operations agent with the PRISM tool group rather than adding it to general-purpose agents
Security
- Rotate your PRISM API credentials periodically and update them in Outermind promptly
- If the employee who set up the PRISM connection leaves, update the credentials to use a service account
- Review agent execution logs regularly to monitor what PRISM data is being queried
Related Topics
- Tools Overview - All available agent tools
- Agents - Configure agents to use tools
- Agent Executions - View tool execution logs
- Crayon Cloud IQ Integration - Alternative Crayon integration for European partners
- Pax8 Marketplace Integration - Alternative marketplace integration for Pax8 MSPs