User Guide
Nitro PDF Pro

Deploying SharePoint Online Extension

This guide outlines the steps needed to set up the Nitro PDF Pro SharePoint Extension.


Please follow the instructions from Microsoft: Use the App Catalog to make custom business apps available for your SharePoint environment.

IMPORTANT: SharePoint admin permissions may be required.

During the deployment, SharePoint Online gives an option to deploy the package tenant wide or per site. If the package is deployed tenant wide it will be automatically available for use on all sites and sub-sites of the current SharePoint tenant.

sharepoint 1.png

Otherwise, after deployment, the package should be enabled manually on each site where it should be used. For this:

  1. Open SharePoint site settings and Add an app.
  2. From a menu on the left select From my organization.
  3. Search for Nitro Pro for SharePointOnline application and click Add
sharepoint 2.png

    SharePoint Online extension versions compatible with Nitro PDF Pro

    In order for Nitro Pro SharePoint Online extension to work properly, it is recommended to have a Nitro Pro version that corresponds to the deployed package version installed:

    SharePoint Online extensionNitro PDF Pro


    SharePoint Online extension

    The extension itself does not require any extra permissions to access the document. As a client-side extension, it runs with the current logged in user’s permissions. As a result, the extension has access only to the files that the user currently has.

    Explaining Nitro PDF Pro permission request

    In order to open and save a SharePoint Online document, Nitro Pro requires additional access to the SharePoint Online server.

    The first time, the users may be prompted to accept consent. It is recommended to log in to SharePoint Online from Nitro Pro with admin permissions first and accept the consent on behalf of the organization.

    The full list of the permissions that Nitro Pro may request is:

    PermissionsTypeDescriptionNeeded for featureNotes

    Microsoft Graph  :
    User.Read  Delegated Sign in and read user profile - SharePoint Online 
    - OneDrive 
    - Azure Information Protection 
    Allows sign in, called "generally required" in MS docs. 
    Files.ReadWrite  Delegated Have full access to user files - OneDrive
    - SharePoint Online 
    Delegated Create, edit, and delete items and list in site collections - SharePoint OnlineNeeded to upload files to SharePoint. 
    Offline_access  DelegatedMaintain access to data you have given it access to - OneDrive
    - SharePoint Online 
    Give access to refresh tokens, called "generally required" in MS docs. 

    Azure Rights Management Service  :  

    user_impersonation  Delegated Create and access protected content for user - Azure Information Protection Requested by MIP SDK when reading policy and labels. 
    Content.DelegatedWriterApplicationCreate protected content on behalf of a user- Azure Information Protection Requested by MIP SDK to protect a document

    Microsoft Information Protection Sync Services   :

    UnifiedPolicy.User.Read  Delegated Read all unified policies a user has access to - Azure Information Protection Requested by MIP SDK when reading policy and labels. 

    Explaining OEUTH Access Token Management

    The access token is stored in  
    and is handled and encrypted using the Microsoft.Identity.Client library. 

    To protect ms_graph_token_cache.msal Nitro Pro is using Windows Data Protection API, which encrypts data with the current user’s credentials.

    The only access information that Nitro Pro handles is the login e-mail, and it stores it directly in the registry key: 

    Everything else is handled via the AIP SDK (that will end in the MSI and MSIPC folder) or the Microsoft.Identity.Client.

    More information about Microsoft Identity platform and authentication can be find here:

    Nitro PDF Pro