Add watermarks when files are opened or downloaded in SharePoint Online / Office 365

Related Products

PDF Converter

PDF Converter


One of the more popular features of the on-premise version of the Muhimbi PDF Converter for SharePoint is the ability to add watermarks – including meta-data, ip-address, date/time information and user information – the moment a file is downloaded or opened. The file as it is sits in SharePoint remains untouched, but the file that is downloaded to the user includes the watermarks. At the same time the PDF file can be secured and encrypted to make sure the watermarks cannot be touched. For details about how this works for the on-premise version – largely identical to the online product – see this blog post.

Brilliant feature, quite often used for security / DRM-light purposes, but up until now only available for SharePoint On-Premises as providing this functionality in SharePoint Online – which is a very restricted platform – has proven to be….well…..tricky.

Well, that ends today as we are happy to announce the general availability of this functionality for the PDF Converter for SharePoint Online. Read on for details about how it works and how to enable it.

Update September 2020: This functionality is no longer limited to just PDF files, it also works with MS-Word, Excel and PowerPoint documents. For details seethis blog post.

How it works

Before we go into further detail, let’s agree on a short name for this Feature as ‘ Real Time Watermarking & Security when a file is accessed’ doesn’t roll off the tongue. Internally our team calls it ‘OnOpen’ as in something happens when a file is opened. So OnOpen it is, at least for the remainder of this post.

Once OnOpen is enabled (see the end of this post for details), whenever a PDF file is downloaded our software automatically adds any configured watermarks and security settings while the file is being sent to the user. It is up to the Site Administrators and List Owners to define these settings.

When OnOpen is first enabled on a site collection the settings are restricted by default. Site Collection Administrators will need to navigate to Site Settings / PDF Watermarking Settings (and/or PDF S ecurity Settings) to specify the default settings and optionally specify if List Owners can override these settings.


PDF Watermarking settings screen as opened from Site Settings.

Please note that by simply specifying this information at the Site Settings level, watermarks are NOT automatically enabled in the Site Collection’s Lists and Libraries. Although the default settings can be inherited from the Site Settings, it must be enabled on each Library or List manually and individually.

If there is no need to centrally control the content of the watermark and security settings then make sure the Allow overriding option is enabled. This makes it possible for the details to be specified manually on each list or library.

To either manually specify the settings at the List or Library level, or activate the centrally specified settings, navigate to the relevant list or library, and from the List / Library ribbon tab select Library Settings / List Settings. This screen contains two new entries,  PDF Watermarking Settings and PDF Security Settings, clicking the former shows the following screen.

WM-OnOpen-LibSettingsPDF Watermarking settings screen as opened from Library Settings

This screen provides the option to inherit the centrally specified settings, or – if permitted – manually specify settings and an optional filter.

By default watermarks are applied for every PDF file that is opened, but by specifying a filter it is possible to narrow it down based on a file’s meta-data, which can be very powerful. E.g. apply a ‘DRAFT’ watermark when the document status is set as such and skip the watermark if the status is ‘Final’.

Although adding static watermarks that don’t change over time can be very useful, the same can be achieved using our workflow facilities that only apply the watermark once rather than every time the document is opened. The real power of the OnOpen facility comes from the ability to insert Meta-Data or Macros in a watermark. This allows such scenarios as:

  • Apply a watermark showing when the document was opened from SharePoint. Opened on '{LONG_DATE} / {LONG_TIME}'
  • Include the name, login id and ip-number of the user who downloaded the document, a great security feature if a document shows up in a place it is not supposed to show up.   Opened by '{LOGON_USER}' ({USER_NAME}) on '{LONG_DATE} / {LONG_TIME}' from IP '{REMOTE_ADDR}'
  • Include the Title, file name and last modified date in a document.   Title: {Title}, File: {FileLeafRef}, Modified: {Modified}
  • Add hidden watermarks to a document. E.g. fully transparent text that is invisible to the user, but can be extracted at a later date in case a document is leaked or shared with an unauthorised party.
  • A mix of any of the above or any of the other meta-data fields and macros. A full list of Field codes and Macros can be found in this Knowledge Base article.

Finally, it is not just about watermarking as anyone with basic ‘Google search’ skills can download a simple PDF editor. To prevent users from modifying watermarks, and add additional layers of security by locking down printing and content copying, a Secure OnOpen facility is available as well.

Secure-OnOpen-ListSettingsApply Security when a file is opened

The concept is the same. Defaults can be specified at the Site Collection level, individual settings can then be enabled at the List or Library levels. Separate filters can be specified if needed. The available security settings are as follows:

  • Open Password: The user accessing the PDF file must know a specific password to open it.
  • Owner password: No password is needed to view the content, but all content is encrypted and any specified security options are locked down.
  • Security Options: Specify which option to lock down. The most popular ones are ‘Disable Printing’ and ‘Disable Content Copying’.

What happens when a document cannot be processed?

Although this facility is built upon an established and resilient platform, there are situations where a document cannot be processed. For example if the PDF is corrupt, already encrypted or the subscription has run out of monthly operations. It is important to decide up-front what to do in cases like this.


How the system deals with problematic situations can be configured using the PDF real-time settings link under Site Settings. The options are as follows:

  1. Show the original, unprocessed, document: For situations where watermarking or PDF security is a nice-to-have, but no show-stopper, you may want to choose this option, which will return the original document as if the OnOpen facility is not active at all.
  2. Block access to the original document: This option, which is the default, blocks access to the document if it cannot be processed. This is generally used in situations where the document MUST be processed before it is sent out, no exceptions.

How to enable

So, all in all a pretty cool feature, however it must be enabled by a Site Collection Administrator before it can be used. For details about how to do this see this Knowledge Base Article. Don’t forget to enable the Automatic PDF Processing App Feature after elevating the privileges, both steps are described in detail in the article.

Please note that extra installation steps are required when using this functionality in a List or Library utilising the Modern Experience. Details can be found inthis Knowledge Base article.

Any questions or feedback? Have a look at the FAQ, leave a comment below or contact our friendly support desk.


Labels: Articles, pdf, SharePoint Online, Watermarking

Have a Question?
We’re Always Happy to Help.

© Muhimbi Ltd. 2008 - 2024
This website uses cookies to ensure you get the best experience. Learn more