This guide outlines the steps needed to set up the Nitro PDF Pro SharePoint Extension.
IMPORTANT: SharePoint admin permissions may be required.
During the deployment, SharePoint Online gives an option to deploy the package tenant wide or per site. If the package is deployed tenant wide it will be automatically available for use on all sites and sub-sites of the current SharePoint tenant.
Otherwise, after deployment, the package should be enabled manually on each site where it should be used. For this:
The first time, the users may be prompted to accept consent. It is recommended to log in to SharePoint Online from Nitro Pro with admin permissions first and accept the consent on behalf of the organization.
The full list of the permissions that Nitro Pro may request is:
Microsoft Graph :
Azure Rights Management Service :
Microsoft Information Protection Sync Services :
C:\Users\<user>\AppData\Roaming\Nitro\Pro\13\ms_graph_token_cache.msal
and is handled and encrypted using the Microsoft.Identity.Client library.
To protect ms_graph_token_cache.msal Nitro Pro is using Windows Data Protection API, which encrypts data with the current user’s credentials.
The only access information that Nitro Pro handles is the login e-mail, and it stores it directly in the registry key:
HKEY_CURRENT_USER\Software\Nitro\Pro\13\Settings\MicrosoftAccount\email
Everything else is handled via the AIP SDK (that will end in the MSI and MSIPC folder) or the Microsoft.Identity.Client.
More information about Microsoft Identity platform and authentication can be find here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow.
Deployment
Please follow the instructions from Microsoft: Use the App Catalog to make custom business apps available for your SharePoint environment.IMPORTANT: SharePoint admin permissions may be required.
During the deployment, SharePoint Online gives an option to deploy the package tenant wide or per site. If the package is deployed tenant wide it will be automatically available for use on all sites and sub-sites of the current SharePoint tenant.
Otherwise, after deployment, the package should be enabled manually on each site where it should be used. For this:
- Open SharePoint site settings and Add an app.
- From a menu on the left select From my organization.
- Search for Nitro Pro for SharePointOnline application and click Add
SharePoint Online extension versions compatible with Nitro PDF Pro
In order for Nitro Pro SharePoint Online extension to work properly, it is recommended to have a Nitro Pro version that corresponds to the deployed package version installed:
SharePoint Online extension
Nitro PDF Pro
1.12.0.x
13.60+
Security
SharePoint Online extension
The extension itself does not require any extra permissions to access the document. As a client-side extension, it runs with the current logged in user’s permissions. As a result, the extension has access only to the files that the user currently has.Explaining Nitro PDF Pro permission request
In order to open and save a SharePoint Online document, Nitro Pro requires additional access to the SharePoint Online server.The first time, the users may be prompted to accept consent. It is recommended to log in to SharePoint Online from Nitro Pro with admin permissions first and accept the consent on behalf of the organization.
The full list of the permissions that Nitro Pro may request is:
Permissions
Type
Description
Needed for feature
Notes
Microsoft Graph :
User.Read
Delegated
Sign in and read user profile
- SharePoint Online
- OneDrive
- Azure Information Protection
- OneDrive
- Azure Information Protection
Allows sign in, called "generally required" in MS docs.
Files.ReadWrite
Delegated
Have full access to user files
- OneDrive
- SharePoint Online
- SharePoint Online
Sites.Manage.All
Delegated
Create, edit, and delete items and list in site collections
- SharePoint Online
Needed to upload files to SharePoint.
Offline_access
Delegated
Maintain access to data you have given it access to
- OneDrive
- SharePoint Online
- SharePoint Online
Give access to refresh tokens, called "generally required" in MS docs.
Azure Rights Management Service :
user_impersonation
Delegated
Create and access protected content for user
- Azure Information Protection
Requested by MIP SDK when reading policy and labels.
Content.DelegatedWriter
Application
Create protected content on behalf of a user
- Azure Information Protection
Requested by MIP SDK to protect a document
Microsoft Information Protection Sync Services :
UnifiedPolicy.User.Read
Delegated
Read all unified policies a user has access to
- Azure Information Protection
Requested by MIP SDK when reading policy and labels.
Explaining OEUTH Access Token Management
The access token is stored inC:\Users\<user>\AppData\Roaming\Nitro\Pro\13\ms_graph_token_cache.msal
and is handled and encrypted using the Microsoft.Identity.Client library.
To protect ms_graph_token_cache.msal Nitro Pro is using Windows Data Protection API, which encrypts data with the current user’s credentials.
The only access information that Nitro Pro handles is the login e-mail, and it stores it directly in the registry key:
HKEY_CURRENT_USER\Software\Nitro\Pro\13\Settings\MicrosoftAccount\email
Everything else is handled via the AIP SDK (that will end in the MSI and MSIPC folder) or the Microsoft.Identity.Client.
More information about Microsoft Identity platform and authentication can be find here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow.