Calendar Sync When Your Company Blocks Third-Party Apps

You find a calendar tool that does exactly what you need. You sign up, you click "Connect Google" or "Connect Microsoft," the OAuth screen pops up, and you hit Allow. Then, instead of "Connected," you get this:

Your administrator has disabled access for this third-party app.

Maybe the consent screen just refuses. Maybe it grants and then silently fails. The wording varies, but the message is the same: IT shut the door, and nothing in your settings reopens it.

I hear this constantly. Someone wants to stop their personal life from colliding with their work calendar, finds a sync tool, and gets stonewalled by their own company before they've started. So this post is about why nearly every tool hits that wall — and the one way to do calendar sync without OAuth on the work account, including with CalendarPipe. The short version: if your company blocks third-party calendar apps, you stop trying to connect the work calendar at all.

Why a blocked OAuth screen kills almost every sync tool

Here's the mechanism. Calendar sync tools — Reclaim, Clockwise, CalendarPipe, all of them — work by OAuth-connecting your work calendar so they can read and write events on it. That connection is the product. No connection, no sync.

Plenty of Google Workspace and Microsoft 365 organizations now block exactly that. An admin flips a single org-wide policy and every "third-party app" that asks for calendar access is denied by default. It's a reasonable security posture from their side — they don't want random apps reading the company's calendar data. From your side, it means the front door is bolted shut.

And to be clear: this is not a setting you can tweak. The block lives on the admin console, which you don't control. You can file a ticket asking IT to allowlist the app, and maybe they will — but at a locked-down enterprise, or as a contractor with no standing to ask, the realistic answer is no. OAuth has exactly one way in, and it's the one your company turned off.

So if every tool needs to connect your work calendar, and your company won't let any tool connect it, you're stuck. Unless you stop trying to connect the work calendar.

The fix: don't connect the work calendar at all

Every sync tool quietly assumes that to get events onto your work calendar, it has to be plugged into it — read access, write access, OAuth, the whole handshake. That assumption is what IT blocks. It's also wrong.

There's an older, dumber, more universal way to put an event on someone's calendar, one that predates OAuth and every calendar API: you email them an invitation. When a colleague invites you to a meeting, nothing gets "connected." An invite lands in your inbox, you click Accept, and the event appears. No app authorized anything.

That's the entire move. Instead of connecting your work calendar, you connect only your personal calendar as the source — your own account, which IT doesn't control — and deliver the events to your work address as invitations. Your work calendar is never linked to CalendarPipe. There's nothing for an admin to approve, because from the work account's perspective, all that ever arrives is an ordinary meeting invite.

One honest clarification, because I'd rather be precise than sound slicker than I am: you do still connect one calendar — your personal one — and that part may use OAuth (for personal Google or Microsoft) or an app-specific password (for Apple). The "no OAuth" claim is specifically about your work calendar. That's the locked-down one, and that's the one you never touch.

How invitation delivery syncs your calendar without admin permission

CalendarPipe has two ways to deliver a synced event.

The usual one is direct delivery: it writes the event straight into a connected calendar through the provider's API. That's the model that needs OAuth on the target — and the model your company blocks.

The other is invitation delivery, and it's the answer here. Instead of writing into a calendar, CalendarPipe sends each synced event as a standard email meeting invitation — a normal iCalendar (.ics) invite, the exact kind your coworkers send you all day. It goes to whatever email address the rule points at. In this case, your work email.

From your work inbox it looks completely ordinary:

• An invitation shows up for each synced event.
• You click Accept (or Decline, or Tentative — your call).
• It appears on your work calendar like any other accepted meeting.

Nothing is installed. Nothing is authorized on the work account. And because it travels over plain email, it rides through the same corporate mail gateway and firewall that already lets every other meeting invite through. It's just email doing what email does.

That's also why it works with any client — Outlook, Gmail, Apple Mail, whatever your company runs. An .ics invitation is a universal format; there's no CalendarPipe-specific software anywhere on the work side, which is the whole point when IT blocks third-party apps.

Setting it up

Start to finish, this takes a few minutes:

1. Connect your personal calendar as the source. Personal Google or Microsoft (your own account), Apple over CalDAV with an app-specific password, or even a read-only feed. This is the only connection involved, and it's entirely yours.
2. Create a sync rule with that personal calendar as the source.
3. Add a gate if you want to filter or clean things up — more on that below. Optional, but I'd use it.
4. Set delivery mode to invitation, with the target as your work email address. One target email per rule.
5. Activate it. From then on, synced events arrive in your work inbox as invitations on a schedule, and you accept the ones you want.

The one thing I'll be upfront about: invitation delivery is a Pro feature. The free plan only does direct delivery — which is precisely the thing your company blocks — so for this scenario, free won't get you there. You need Pro, which is $4/month ($3.33 billed annually, with a 14-day trial). I'd rather tell you that plainly than have you sign up for free and hit the wall a second time. Invitation delivery is the entire reason this approach works, and it lives on Pro.

You stay in control of what reaches work

Every rule runs a gate function — a tiny bit of logic that inspects each event before it goes out — so you decide exactly what reaches your work inbox. That matters more here than usual, because these are your personal events heading to a work address.

A gate can:

• Send only what you choose — filter by calendar, by keyword, by a tag you control, so your 7am gym slot stays private but your "block this" events come through.
• Strip the details — rewrite the title to "Busy," clear the description and location, mark it private. Your colleagues see that you're unavailable, never why.

So even routing personal commitments to a work address, you're not over-sharing. If privacy is your main concern, I went deeper on it in a companion piece: keep the synced events private with a gate.

One limit, so nobody's surprised: a gate can change how an event looks, but not when it happens. It can't shift start or end times — the busy block lands exactly when your real commitment is. That's by design; it'd be useless otherwise.

Who this is for

This is a niche fix, so let me be honest about who actually needs it.

If your company does let you connect your work calendar, you don't need any of this — use direct delivery and move on. Invitation delivery exists for the people who've already hit the wall:

• Locked-down enterprises where third-party OAuth is disabled org-wide and a ticket to IT is going nowhere.
• Contractors and consultants on a client's Workspace or 365 tenant, with no admin standing to request an exception.

For both, the invitation route is the only one that works, because it never asks the work account for anything.

Wrapping up

The OAuth wall feels final: the tool needs access, IT won't give it, end of story. But the wall is only there because every tool insists on connecting your work calendar. The moment you stop doing that — connect your personal calendar, deliver to work as plain invitations — the problem dissolves. No admin approval, no firewall fight, no app authorized on the work side.

If your company has been blocking every calendar tool you try, this is the way through: connect your personal calendar, set delivery to invitation, point it at your work email, and accept what lands. You'll need Pro for invitation delivery, but that's $4 a month for the one approach that works where OAuth-based tools can't.

Start at CalendarPipe, and the docs walk through each step if you want the detail.

— Jakub