Prismatic's debut AI L1 demo: automated password reset that runs inside Syncro

PW reset tickets are the most common L1 ticket type for most MSPs. They're also the cleanest place to start handing work over to AI, for four reasons.

The action is reversible. If something goes wrong, the user runs the reset themselves and the worst-case outcome is "the password didn't change."

The scope is narrow. Identify the user, verify intent, generate a one-time credential, hand off the reset action. No interpretation, no judgment calls.

The success criteria are unambiguous. Either the user has access to their account or they don't. No gray area to debate after the ticket closes.

And the user stays in the loop. The AI doesn't reach into M365 and change the password unilaterally. It triggers a verified flow that the user themselves completes. This matters for compliance and for the "AI changed my password without telling me" complaints you'd otherwise get.

The architecture

Two agents handle the loop. They're scoped to separate tasks on purpose.

The first is a queue monitoring agent. It watches your Syncro ticket queue and identifies password reset tickets within about 15 seconds of creation. When it finds one, it tags the ticket as a password reset and hands off to the second agent. It does nothing else. No M365 calls, no user lookups, no actions on the tenant.

The second is a password-resetting-specialized agent. It receives the tagged ticket, pulls the user from your M365 tenant, finds the user's secondary email address, and sends a verification link to that address. The user clicks through to a branded portal, confirms it's them, and runs the password reset themselves. M365 records the action. The ticket auto-resolves with a full note of what happened.

Splitting the work across two agents instead of one is intentional. The queue agent has read-only scope and can be scaled or restarted without affecting any password reset in flight. The specialized agent only acts when triggered, only on tagged tickets, and only against the specific user identified by the queue agent. Each agent has a smaller blast radius than a monolithic system would.

Why the verified flow

The natural alternative would be: AI receives the ticket, AI changes the password directly in M365, AI sends the new password to the user. That works in some setups but two things make the verified flow better in practice.

User verification keeps the trust chain clean. When the password change is verified at the user level (they clicked the link, they confirmed in the portal, they ran the reset), the audit trail shows their action, not the service account's. From a compliance angle, that's cleaner. The action attribution is real.

And the user stays in the loop. The "AI changed my password without telling me" complaint never happens because the user themselves clicked the button.

See it running

Two minute Loom of the flow running end-to-end:

Watch the demo

What the demo assumes

Two things, neither of them mandatory if you build it differently.

First, a customer portal that isn't tied to M365 so the verification step has somewhere to land that isn't gated by the same credentials the user is trying to reset.

Second, a secondary contact email in Entra for the user, which is how the identification step works during the verification.

Both are common in modern MSP setups. If you don't have them, the verification path can be adjusted to use a different out-of-band confirmation method.

What's next

This is the first action in the Prismatic AI L1 stack. The next ones in the queue are the rest of the high-frequency L1 ticket types: license assignments, group membership changes, distribution list updates. Same architecture pattern. A queue monitoring agent identifies and tags. A specialized agent handles the action. The user stays in the loop where the action affects them.

If you want to see the password reset flow running in your own Syncro tenant, book 15 minutes at prismaticenterprises.co.

---

What's the first ticket type you'd hand to an AI L1 in your queue?