Approve Dainvo in your organization
This page is for IT administrators of Microsoft 365 (Entra ID) and Google Workspace organizations. If you are a Dainvo user whose work or school account is blocked, send this page to your administrator.
Dainvo works on every plan, including the free plan, once your organization approves it. Approval is a one-time action per organization.
How Dainvo handles your organization's data
- Dainvo syncs calendars and tasks directly between the user's device and Microsoft or Google. Calendar content is stored in an encrypted local database on the device, not on Dainvo servers.
- OAuth tokens are stored on the device in an encrypted vault protected by the operating system keystore. Dainvo servers never receive or store Microsoft or Google tokens.
- All permissions are delegated (on behalf of a signed-in user). Dainvo uses no application permissions and no domain-wide delegation.
- Dainvo requests permissions incrementally: connecting an account asks for calendar access only, and additional permissions are requested only when the user turns on the matching feature.
For the full security architecture, see the Dainvo enterprise security whitepaper on dainvo.com.
Microsoft 365 / Entra ID
Application (client) ID: 1f03ba16-1742-4ebd-94df-be0f0e6377c6
The same application ID is used by the Dainvo desktop and mobile apps. It is registered as a multi-tenant public client (PKCE, no client secret).
Delegated permissions
| Permission | When it is requested | Why Dainvo needs it |
|---|---|---|
User.Read | Always | Identify the signed-in account (name and email) |
Calendars.ReadWrite | Connecting an account (default) | Two-way calendar sync: read events, create and edit events the user makes in Dainvo |
offline_access | Connecting an account (default) | Keep the account connected without re-prompting for sign-in |
Tasks.ReadWrite | Only when the user enables Microsoft To Do | Two-way Microsoft To Do task sync |
Mail.ReadWrite | Only when the user enables Outlook Email tasks | Read flagged email and update flags for the email tasks feature |
Calendars.ReadWrite.Shared | Only in custom deployments that enable shared calendar write | Edit shared calendars the user can already edit in Outlook |
Grant tenant-wide admin consent
Recommended path, in the Microsoft Entra admin center:
- Have one user attempt to connect Microsoft in Dainvo once. This creates the Dainvo service principal in your tenant.
- Open Entra admin center > Identity > Applications > Enterprise applications.
- Find Dainvo (application ID
1f03ba16-1742-4ebd-94df-be0f0e6377c6). - Open Permissions and choose Grant admin consent.
Alternative: open the admin consent URL below while signed in as a Global Administrator or Privileged Role Administrator.
https://login.microsoftonline.com/organizations/adminconsent?client_id=1f03ba16-1742-4ebd-94df-be0f0e6377c6&redirect_uri=http://localhost
After you approve, the browser redirects to http://localhost and shows a connection error. This is expected for a desktop app: the consent is already recorded before the redirect.
If you prefer per-user consent, you can instead allow user consent for this application through your user consent policies.
Google Workspace
OAuth client IDs (all in the same Dainvo Google Cloud project):
| Client | Client ID |
|---|---|
| Desktop app | 510973960767-tsurqt2c5ejprvvkciiafrpviltp0osl.apps.googleusercontent.com |
| iOS app | 510973960767-tu86bjtgkcqjv5npljisge5pvs20i4l7.apps.googleusercontent.com |
If your admin console shows another client from project number 510973960767 (for example the Android app, which is registered by package name and signing certificate), it belongs to the same Dainvo project.
Scopes
| Scope | When it is requested | Why Dainvo needs it |
|---|---|---|
openid, email, profile | Always | Identify the signed-in account |
https://www.googleapis.com/auth/calendar | Connecting an account (default, desktop) | Two-way calendar sync: read events, create and edit events the user makes in Dainvo |
https://www.googleapis.com/auth/calendar.readonly | Connecting an account (mobile) | Read-only calendar view on mobile |
https://www.googleapis.com/auth/tasks | Only when the user enables Google Tasks | Two-way Google Tasks sync |
Dainvo requests no Gmail scopes.
Allow Dainvo for your organization
- Open the Google Admin console.
- Go to Security > Access and data control > API controls > App access control.
- Choose Manage third-party app access, then Configure new app.
- Search by the client ID (use the desktop client ID above), select the Dainvo clients, and mark them Trusted.
Marking the app Trusted by client ID works even while Google's app verification review is in progress, so your users are never blocked by the verification status.