Skip to main content

Approve Dainvo in your organization

This page is for IT administrators of Microsoft 365 (Entra ID) and Google Workspace organizations. If you are a Dainvo user whose work or school account is blocked, send this page to your administrator.

Dainvo works on every plan, including the free plan, once your organization approves it. Approval is a one-time action per organization.

How Dainvo handles your organization's data

  • Dainvo syncs calendars and tasks directly between the user's device and Microsoft or Google. Calendar content is stored in an encrypted local database on the device, not on Dainvo servers.
  • OAuth tokens are stored on the device in an encrypted vault protected by the operating system keystore. Dainvo servers never receive or store Microsoft or Google tokens.
  • All permissions are delegated (on behalf of a signed-in user). Dainvo uses no application permissions and no domain-wide delegation.
  • Dainvo requests permissions incrementally: connecting an account asks for calendar access only, and additional permissions are requested only when the user turns on the matching feature.

For the full security architecture, see the Dainvo enterprise security whitepaper on dainvo.com.

Microsoft 365 / Entra ID

Application (client) ID: 1f03ba16-1742-4ebd-94df-be0f0e6377c6

The same application ID is used by the Dainvo desktop and mobile apps. It is registered as a multi-tenant public client (PKCE, no client secret).

Delegated permissions

PermissionWhen it is requestedWhy Dainvo needs it
User.ReadAlwaysIdentify the signed-in account (name and email)
Calendars.ReadWriteConnecting an account (default)Two-way calendar sync: read events, create and edit events the user makes in Dainvo
offline_accessConnecting an account (default)Keep the account connected without re-prompting for sign-in
Tasks.ReadWriteOnly when the user enables Microsoft To DoTwo-way Microsoft To Do task sync
Mail.ReadWriteOnly when the user enables Outlook Email tasksRead flagged email and update flags for the email tasks feature
Calendars.ReadWrite.SharedOnly in custom deployments that enable shared calendar writeEdit shared calendars the user can already edit in Outlook

Recommended path, in the Microsoft Entra admin center:

  1. Have one user attempt to connect Microsoft in Dainvo once. This creates the Dainvo service principal in your tenant.
  2. Open Entra admin center > Identity > Applications > Enterprise applications.
  3. Find Dainvo (application ID 1f03ba16-1742-4ebd-94df-be0f0e6377c6).
  4. Open Permissions and choose Grant admin consent.

Alternative: open the admin consent URL below while signed in as a Global Administrator or Privileged Role Administrator.

https://login.microsoftonline.com/organizations/adminconsent?client_id=1f03ba16-1742-4ebd-94df-be0f0e6377c6&redirect_uri=http://localhost

After you approve, the browser redirects to http://localhost and shows a connection error. This is expected for a desktop app: the consent is already recorded before the redirect.

If you prefer per-user consent, you can instead allow user consent for this application through your user consent policies.

Google Workspace

OAuth client IDs (all in the same Dainvo Google Cloud project):

ClientClient ID
Desktop app510973960767-tsurqt2c5ejprvvkciiafrpviltp0osl.apps.googleusercontent.com
iOS app510973960767-tu86bjtgkcqjv5npljisge5pvs20i4l7.apps.googleusercontent.com

If your admin console shows another client from project number 510973960767 (for example the Android app, which is registered by package name and signing certificate), it belongs to the same Dainvo project.

Scopes

ScopeWhen it is requestedWhy Dainvo needs it
openid, email, profileAlwaysIdentify the signed-in account
https://www.googleapis.com/auth/calendarConnecting an account (default, desktop)Two-way calendar sync: read events, create and edit events the user makes in Dainvo
https://www.googleapis.com/auth/calendar.readonlyConnecting an account (mobile)Read-only calendar view on mobile
https://www.googleapis.com/auth/tasksOnly when the user enables Google TasksTwo-way Google Tasks sync

Dainvo requests no Gmail scopes.

Allow Dainvo for your organization

  1. Open the Google Admin console.
  2. Go to Security > Access and data control > API controls > App access control.
  3. Choose Manage third-party app access, then Configure new app.
  4. Search by the client ID (use the desktop client ID above), select the Dainvo clients, and mark them Trusted.

Marking the app Trusted by client ID works even while Google's app verification review is in progress, so your users are never blocked by the verification status.