This guide outlines the steps needed to set up the Nitro PDF Pro SharePoint Extension.
Deployment
Please follow the instructions from Microsoft: Use the App Catalog to make custom business apps available for your SharePoint environment.
IMPORTANT: SharePoint admin permissions may be required.
During the deployment, SharePoint Online gives an option to deploy the package tenant wide or per site. If the package is deployed tenant wide it will be automatically available for use on all sites and sub-sites of the current SharePoint tenant.
Otherwise, after deployment, the package should be enabled manually on each site where it should be used. For this:
- Open SharePoint site settings and Add an app.
- From a menu on the left select From my organization.
- Search for Nitro Pro for SharePointOnline application and click Add
SharePoint Online extension versions compatible with Nitro PDF Pro
In order for Nitro Pro SharePoint Online extension to work properly, it is recommended to have a Nitro Pro version that corresponds to the deployed package version installed:
| SharePoint Online extension | Nitro PDF Pro |
| 1.12.0.x | 13.60+ |
Security
SharePoint Online extension
The extension itself does not require any extra permissions to access the document. As a client-side extension, it runs with the current logged in user’s permissions. As a result, the extension has access only to the files that the user currently has.
Explaining Nitro PDF Pro permission request
In order to open and save a SharePoint Online document, Nitro Pro requires additional access to the SharePoint Online server.
The first time, the users may be prompted to accept consent. It is recommended to log in to SharePoint Online from Nitro Pro with admin permissions first and accept the consent on behalf of the organization.
The full list of the permissions that Nitro Pro may request is:
| Permissions | Type | Description | Needed for feature | Notes |
Microsoft Graph : | ||||
| User.Read | Delegated | Sign in and read user profile | - SharePoint Online - OneDrive - Azure Information Protection | Allows sign in, called "generally required" in MS docs. |
| Files.ReadWrite | Delegated | Have full access to user files | - OneDrive - SharePoint Online | |
| Sites.Manage.All | Delegated | Create, edit, and delete items and list in site collections | - SharePoint Online | Needed to upload files to SharePoint. |
| Offline_access | Delegated | Maintain access to data you have given it access to | - OneDrive - SharePoint Online | Give access to refresh tokens, called "generally required" in MS docs. |
Azure Rights Management Service : | ||||
| user_impersonation | Delegated | Create and access protected content for user | - Azure Information Protection | Requested by MIP SDK when reading policy and labels. |
| Content.DelegatedWriter | Application | Create protected content on behalf of a user | - Azure Information Protection | Requested by MIP SDK to protect a document |
Microsoft Information Protection Sync Services : | ||||
| UnifiedPolicy.User.Read | Delegated | Read all unified policies a user has access to | - Azure Information Protection | Requested by MIP SDK when reading policy and labels. |
Explaining OEUTH Access Token Management
The access token is stored in
C:\Users\<user>\AppData\Roaming\Nitro\Pro\13\ms_graph_token_cache.msal
and is handled and encrypted using the Microsoft.Identity.Client library.
To protect ms_graph_token_cache.msal Nitro Pro is using Windows Data Protection API, which encrypts data with the current user’s credentials.
The only access information that Nitro Pro handles is the login e-mail, and it stores it directly in the registry key:
HKEY_CURRENT_USER\Software\Nitro\Pro\13\Settings\MicrosoftAccount\email
Everything else is handled via the AIP SDK (that will end in the MSI and MSIPC folder) or the Microsoft.Identity.Client.
More information about Microsoft Identity platform and authentication can be find here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow.