For users to access the calendar integration, administrators will need to follow a test flow to test the consent level of the calendar integration. Letting administrators test the integration before enabling it ensures that end-users don’t face any difficulties when syncing their calendars.
However, administrators may run into issues during this test flow. If a test flow fails, you will not be able to enable the integration. In this case, you need to first address the failure issue; this may require help from your application administrator responsible for your organization’s work calendar.
Please toggle between the different solutions in the tab menu below to find the troubleshooting steps associated with your Cloud Suite (either O365 or Google Workspace).
When does a user see this screen?
This screen will appear once a user has chosen to connect their calendar to Mapiq; they’ll be redirected to the consent flow and login. This is normal since the user has not given consent before, and an administrator has provided no administrator consent in their organization. By clicking the Accept button, the user gives Mapiq the indicated permissions. This screen should appear to a user once.
The user is not sent to the consent screen but is redirected back to the app
When clicking ‘Connect your calendar’, the user is not sent to the consent screen but is instead automatically redirected back to the app.
When does this happen?
The user has already given consent, or an administrator has already given consent on behalf of all users.
Error message: Sorry, but we’re having trouble signing you in.
The user receives the error message: “Sorry, but we’re having trouble signing you in. AADSTS50105: The signed-in user [username] is not assigned to a role for the application [application-id].”
When does a user see this screen?
The user has chosen to connect their calendar to Mapiq and has been redirected to the consent flow. After logging in, the user will receive this error: AADSTS50105.
Why does it happen?
This error occurs when an administrator has enabled ‘user assignment’ for the Mapiq connection with Office 365, and a user who has not yet been assigned to the application attempts to connect their calendar.
How to resolve this?
The user should consult their organization’s Active Directory or Tenant administrator (this is often a different person than the building or subscription administrator). Possible solutions are:
- The administrator assigns the user a role (Default Access) in the application
- The administrator disables user assignment for the app so that all users in the organization can use the app
Admin approval is required
In some cases, the tenant administrator for O365 could have the permissions for Mapiq classified as something different than in the app. For example:
Permissions classified as low impact by Tenant admin
Permissions expected by app
In this scenario, administrator approval is required (because Calendars.Read is not classified as low impact). The approval required dialog will present an option to request access to the app. Even if the application is not requesting this specific permission, this permission always needs to be present in the list of low-impact permissions; otherwise, a user won’t be able to sign in.
After requesting approval, the user can go back to the app. Of course, the consent has not yet been given, so Mapiq cannot access the user’s calendar, and an error message will be shown.
|Request for approval is presented||Users can return to the app||Calendar sync has failed|
Depending on the level of permission given by the Tenant administrator, either of the first two screens may not be shown. However, the last screen is always shown when the test flow fails.
An administrator in the administrator’s O365 tenant can review pending requests. For pending requests, they can choose to review the requested permissions and provide consent from the O365 side. Note that this will give consent to all users in the organization, meaning that users will no longer be prompted to review these permissions. In this case, users will still have to go through the consent flow (i.e., connect their calendar), but they will not see the consent screen with the Approve button during that process and will be redirected back to the app immediately.
As the Subscription administrator tests the flow, this consent will be given before enabling the Hybrid Meetings integration, automatically ensuring your end-users will not see this 'approval is needed from an admin' screen.
User consent variations
In the O365 environment, Tenant administrators can decide on variations of the user consent. These options are shown in the screenshot below. Tenant administrators can set the consent level for only a subset of the users instead of all users. If that's the case, users need to be assigned to the app before using it.
Verify if users can access the application
Google Workspace for Mapiq is a third-party Google app that retrieves users' authorization to access their Google Workspace Calendar.
Organizations using Google Workspace can choose how their users provide this authorization to third-party applications and restrict access to Google Workspace services, including the Google Calendar service.
In a very basic setup, users can log in to all applications onboarded in Google's app verification program. Those applications can access most Google Workplace services, excluding high-risk scopes (such as Gmail or Drive).
In practice, many organizations choose to restrict the way users can give applications access to their data. Refer to this Google Support document to learn more about the options available to Google Workspace administrators: Control external access to Google Workspace data - Google Workspace Admin Help.
In most cases, a Google Workspace administrator will need to trust an app before users can connect their Google Workspace Calendar to Mapiq. If a user attempts to connect their calendar when admin approval is still required, the following error will be shown:
Administrators can manage access to apps in the Google Admin console. Please refer to this Google support page to learn how that can be done: Control which third-party & internal apps access Google Workspace data - Google Workspace Admin Help.
Administrators should make sure that the following app is allowed access to the services Google Workspace Admin (for room linking in Mapiq’s admin portal) and Calendar (for access to user calendars):
- Google for Mapiq
Verify Context-Aware Access
Some organizations restrict users' and applications' ability to sign in or access resources in their Google Workspace environment using Context-Aware Access. For example, your organization may restrict users from accessing the Google Workspace data only if they use a company-issued device. See Context-Aware Access overview - Google Workspace Admin Help for more information.
Verify (with your IT department or Google Workspace administrator) that employees in your organization can sign in and access their Google data with the Mapiq mobile application and the web browser version (https://shifts.mapiq.com and https://admin.mapiq.com). This will help avoid locking out your users by way of any IT policies that your organization has configured.