Watermark and secure OnOpen in SharePoint Online FAQ
This guide answers common questions about the real-time (OnOpen) watermarking and security feature available in Nutrient Document Converter for SharePoint Online (formerly Muhimbi PDF Converter).
This guide doesn’t apply to the on-premises version of the same feature.
For background information, refer to the blog post on adding watermarks when files are opened or downloaded in SharePoint Online.
Does the OnOpen facility work with list item attachments?
Yes. This feature works with files stored in document libraries and files attached to list items.
Can the OnOpen facility process non-PDF files?
Yes. You can apply watermarks and security in real time to Word, Excel, PowerPoint, and PDF files.
-
This applies to modern file formats (DOCX, XLSX, PPTX, PDF) only.
-
To process legacy formats (DOC, XLS, PPT), convert them to their modern equivalents using Nutrient Document Converter.
For other file types, convert them to PDF using the SharePoint user interface, Power Automate, Azure Logic Apps, REST API, or SharePoint Designer workflows.
Does this work for both modern and classic lists and libraries?
Yes, but SharePoint’s modern experience uses a different extension model than the classic version.
To enable the OnOpen facility in lists and libraries that use the modern view, complete additional installation steps. For instructions, refer to the guide on enabling real-time watermarking on modern view libraries.
Why does SharePoint behave differently when this functionality is enabled?
To apply watermarks and security settings automatically when files are opened in SharePoint Online, certain SharePoint features are disabled. This prevents users from bypassing watermarking.
The following functionality is affected:
-
Drag-and-drop file operations
-
Downloading entire folders at once
-
Some sharing options
This behavior is intentional. Inform users in affected site collections that these features have been disabled as part of the security design.
Which web browsers are supported?
This functionality supports all web browsers that SharePoint Online supports.
Internet Explorer is no longer supported by Microsoft for SharePoint Online. As a result, Nutrient doesn’t officially support Internet Explorer, even if some functionality may still work.
Does this work for external and guest users?
The real-time watermarking facility supports external users, but not guest users.
To enable watermarking for external users, add them to the site group named Nutrient Document Converter - Automatic PDF Processing. This group is automatically created when you enable the app feature named Nutrient Document Converter - Automatic PDF Processing.
How to add external users:
-
Go to Site Settings > Real-Time Settings
-
Select Refresh security group
This action adds all eligible external users to the required site group.
Important
-
External users must access the site at least once before they can be added to the group. Make this step part of your external user onboarding process.
-
Repeat the refresh process whenever you add new external users to the site.
Known limitations
-
SharePoint doesn’t store certain user properties for external users, such as
{USER_NAME}
and{LOGON_USER}
. These fields will be empty in watermarks. -
For a list of available watermark fields, refer to the field codes section.
Recommendations
-
When using the modern experience, share files with specific people.
-
When using the classic experience, enable Require sign-in if this setting is available under the site collection’s sharing configuration.
Should I be concerned about users saving secured or watermarked files back to SharePoint?
Yes.
While this issue doesn’t typically apply to PDFs which are generally read-only, files such as MS Word, Excel, and PowerPoint are often edited and saved back to SharePoint.
When automatic watermarking and security are applied each time a document is opened, there’s a risk that users may save the secured version back into SharePoint. For example:
-
A user opens a Word file that has been automatically watermarked and password protected.
-
After making edits, the user saves the document back to SharePoint.
-
The saved version now permanently includes the watermark and password protection.
These security features cannot be removed unless someone with the correct password manually edits the document.
Recommendations
-
Use filters to apply real-time watermarking and security only in specific scenarios.
-
Apply these settings to read-only documents or to dedicated folders used for sharing content externally.
Plan your implementation carefully based on how documents are used and whether they’re intended for editing or read-only consumption.
How secure is the real-time watermarking facility, and can it still be bypassed despite security measures? Which SharePoint features are disabled when using this facility?
Our real-time watermarking facility is designed as a lightweight digital rights management (DRM) solution, used by some customers to prevent content copying, disable printing, and add user details (IP, Name, Date, Time) as a watermark to each opened file. SharePoint Online is a highly restricted platform, and we’ve implemented every possible measure to ensure files are processed when opened by end users.
While real-time watermarking disables several SharePoint features to protect content, it cannot fully prevent all methods of bypassing watermarks. When you enable our real-time watermarking in SharePoint, the following features become unavailable to maintain content security:
-
Preview
-
Copy to
-
Move to
-
Open in browser (from context menu; top menu remains functional)
-
Copy link
-
Pin to top
-
Open in app
-
Open in immersive reader (for Office documents)
-
Download multiple files
-
Manage access (from context menu)
-
Download attachment in List
Despite these measures, there are a number of scenarios in which we cannot intercept the file and process it for securing/watermarking:
-
There is a slight delay (fraction of a second) after a page is loaded, but before the OnOpen facility becomes available. Theoretically, it’s possible — under extreme circumstances — for extremely fast and knowledgeable users to click a file before it can be processed.
-
SharePoint’s Send a copy facility can be used to send a file to a different location. Our software cannot intercept this facility.
-
Any files downloaded outside the browser — for example, programmatically through client-side object model (CSOM) — aren’t processed by the OnOpen facility.
-
Files synced using software such as OneDrive bypass our software and won’t apply watermarking in real time.
-
Files shared using SharePoint Online’s Share Link facility aren’t processed. However, content shared at a higher level — for example, an entire site — is processed.
From time to time, Microsoft makes changes, particularly to the modern view, which may impact the availability of our watermarking and security facilities. We’re always on top of the latest changes and continuously test the software on the latest SharePoint Online Targeted release.
It’s recommended that customers never enable the latest targeted release, as this may cause issues with third-party software such as our real-time watermarking facility.
How does this count toward my subscription’s monthly operations?
Each Document Converter for SharePoint Online subscription includes a fixed number of monthly operations — for example, 1,000 operations. An operation is counted every time a file is processed, whether for conversion, watermarking, or security. This applies across all platforms: SharePoint UI, Power Automate workflows, REST API, or OnOpen.
Key points
-
When the OnOpen facility is enabled on a list or library, every file that’s opened counts as one operation.
-
If both Secure OnOpen and Watermark OnOpen are enabled, it still counts as one operation per file open, as these actions are processed together.
-
If a user opens the same file multiple times, each open action counts as a separate operation. The system reprocesses the file each time to reflect the most current data.
Recommendation
If your use case doesn’t require real-time updates, consider applying watermarks and security through workflows. This approach processes the file only once, regardless of how many times it’s opened afterward.
How does it apply watermarks across different time zones?
Users often access a SharePoint site collection from various regions. When a watermark includes a date or time, the system adjusts it based on the time zone set in the current user’s profile.
Time zone handling
-
If the user profile includes a time zone, the watermark reflects that time zone.
-
If the user profile doesn’t include a time zone or it’s restricted — for example, set to “visible to me only” — the system uses the site collection’s default time zone.
For steps to update time zone settings in a user profile, refer to this Microsoft article.
What about formatting of dates and numbers?
Different regions use different formatting options for dates and numbers. For example, in the USA, people expect dates to be formatted in mm/dd/yyyy format, while in most European countries, the dd/mm/yyyy convention is used. Similarly, some countries use a comma to delimit fractions, while other countries use a period (.).
When applying this information as a watermark, the OnOpen facility takes the regional settings associated with the user’s profile. If this information isn’t specified in the profile, then it’ll take the regional settings specified at the Site Collection level. For details about how to change the user profile settings, refer to the Microsoft article on changing language and region settings.
Will this facility slow down access to watermarked documents?
Yes, to some extent.
Because third-party software cannot run directly within SharePoint Online, Nutrient processes documents through a secure cloud service hosted on Microsoft Azure. When a file is accessed:
-
A secure link retrieves the file from your SharePoint environment.
-
The file is processed (for example, watermarked or encrypted).
-
The processed file is returned to the user.
Performance impact
-
This process adds some overhead due to file retrieval and processing.
-
On average, files processed through the OnOpen facility may take up to twice as long to open compared to unprocessed files.
-
In most cases, especially with smaller files, this delay isn’t significant.
A document will be opened by thousands of users in a short time. Will this be a problem?
It can be, depending on document size, complexity, and how many users open the file simultaneously.
What to expect
-
High concurrent access generates significant bandwidth usage within your network.
-
Nutrient’s software must repeatedly fetch the file from your SharePoint servers, which can be a slow process.
-
While Nutrient monitors and scales its Azure-based infrastructure continuously, capacity isn’t unlimited. Very high peak loads may cause temporary slowdowns.
Recommendations
-
Plan ahead and test thoroughly.
-
Avoid sending mass communications instructing users to open the document all at once. Instead, stagger access over time to reduce peak load.
Does this also work when opening historical files?
Yes. The OnOpen facility processes files opened from SharePoint’s version history.
Important to note
-
If the watermark includes item-specific metadata, the values will be taken from the most recent version of the item.
-
SharePoint doesn’t support programmatic access to historical metadata, which limits the ability to reflect version-specific values in the watermark.
What happens when there’s an error?
The impact of a failed operation depends on how you use the OnOpen facility. For some scenarios — such as adding a DRAFT watermark — the failure may be acceptable. However, if you’re using the feature for security, you may need stricter error handling.
You can configure the error handling behavior under Site Settings > Real-time Settings.
Available options
-
Show the original, unprocessed document — Use this option if watermarking or security is optional. If an error occurs, the original document is returned without processing, as if the OnOpen facility weren’t active.
-
Block access to the original document (default) — Use this option when the document must be processed before access is granted. If processing fails, the user cannot access the document at all.
Common causes of errors
-
The file is already secured or encrypted.
-
The file is corrupt or contains syntax errors.
What happens when the subscription runs out of monthly operations?
Subscriptions for Nutrient Document Converter for SharePoint Online include a fixed number of operations per month. Each time the OnOpen facility is triggered, one operation is consumed. When the monthly limit is reached, the OnOpen facility becomes unavailable for the remainder of the billing period.
However, you can control how documents behave when operations are exhausted. Configure this under Site Settings > Real-time Settings.
Available options
-
Show the original, unprocessed document — Use this option when watermarking or security is optional. If operations run out, the system returns the original document without processing.
-
Block access to the original document (default) — Use this when processing is mandatory. If no operations remain, access to the document is blocked entirely.
Refer to the previous section for details about how this setting behaves in error scenarios.
How can I include user-specific information and metadata in a watermark?
The OnOpen facility enables you to include up-to-date metadata and user-specific information in watermarks. This may include standard fields such as Title, Author, or Last Modified, as well as custom columns, time-based data, and user identity details.
You can add this information using macros — text enclosed in braces {}
. The system replaces these macros with the relevant values when processing the file.
Supported macros
Macro | Description |
---|---|
{LONG_DATE} |
The long representation of the current date — for example, 18 April 2011. |
{LONG_TIME} |
The long representation of the current time — for example, 12:35:48. |
{DATE} |
The short representation of the current date — for example, 7/03/2011. |
{TIME} |
The short representation of the current time — for example, 12:35. |
{PAGE} |
The number of the current page in the PDF file. This value is automatically updated for every page. This field is only supported by PDF files. |
{NUMPAGES} |
The total number of pages in the PDF file. This field is only supported by PDF files. |
Any column name — for example, {Title} , {Author} |
Any SharePoint column/field defined on the list, such as {Title} , {Author} . Use (case-sensitive) internal field names. For more information, refer to the list of internal field names. |
{HTTP_HOST} |
Returns the name of the web server. This may or may not be the same as SERVER_NAME , depending on the type of name resolution you’re using on your web server (IP address, host header). |
{HTTP_REFERER} |
Returns a string that contains the URL of the page that referred the request to the current page using an HTML <A> tag. Note that the URL is the one that the user typed into the browser address bar, which may not include the name of a default document. |
{HTTP_URL} |
Returns the raw, encoded URL — for example, /vdir/default.asp?querystring . |
{HTTP_USER_AGENT} |
Returns a string describing the browser that sent the request. |
{LOGON_USER} |
The Windows account that the user is impersonating while connected to your web server. Use REMOTE_USER to view the raw username that’s contained in the request header. |
{REMOTE_ADDR} |
The IP address of the remote host (identifying the user) that’s making the request. |
{REMOTE_HOST} |
The name of the host that’s making the request. If the server doesn’t have this information, it will set REMOTE_ADDR and leave this empty. |
{REMOTE_USER} |
The name of the user as it’s derived from the authorization header sent by the client, before the username is mapped to a Windows account. If you have an authentication filter installed on your web server that maps incoming users to accounts, use LOGON_USER to view the mapped username. |
{SERVER_NAME} |
The server’s host name, DNS alias, or IP address as it would appear in self-referencing URLs. |
{URL} |
Gives the base portion of the URL, without any query string or extra path information — for example, /vdir/default.asp . |
{USER_NAME} |
The user’s name, if available. |
{USER_EMAIL} |
The user’s email, if available. |
{UserProfile.InternalNameOfProperty} |
User profile property. Requires the add-in to be elevated centrally and the profile property to be visible to everyone. For more information, refer to the SharePoint user profile fields with their internal name. |
Use these macros to dynamically personalize document watermarks during each OnOpen processing event.
Where can I find more details about the free form watermark type?
The free form watermark type enables you to define complex watermark layouts that go beyond simple text or metadata fields. Nutrient Document Converter includes a flexible watermarking engine that supports:
-
Text (standard or RTF)
-
Images
-
Lines and circles
-
QR codes
-
Combinations of the above
You can apply any of these watermark types — or multiple types — in a single operation. This improves performance and reduces cost, as free form watermarking counts as one operation per file.
However, this flexibility comes with added complexity. Free form watermarks use an XML-based definition syntax. While this is accessible for power users, it may appear complex to others.
For guidance on defining free form watermarks using XML, refer to the guides on free form watermark XML and watermarking engine overview.
Is there anything I need to be aware of before watermarking Office file formats?
Yes. Office file formats have specific behaviors and limitations that can affect how watermarks appear. Understanding these nuances is essential to avoid unexpected results.
General notes
-
PDF files are ideal for watermarking — They support precise placement, page-specific targeting, and consistent rendering.
-
Office files (Word, Excel, PowerPoint) are limited due to how Microsoft Office renders and handles document structure.
Key considerations
-
Layering (Z-order)
-
Watermarks are added behind the content in Word and Excel.
-
Ensure document content (for example, images or scans) isn’t opaque or it may obscure the watermark.
-
PDFs offer better control over layering and transparency.
-
Targeting individual page
-
Supported in — PDF, PowerPoint (for example, watermark only on the third or last slide/page).
-
Not supported in — Word, Excel.
-
In Word, watermarks are applied per section, not per page. To target a specific page, it must be isolated in its own section.
-
In Excel, the same watermark is applied across all pages of a worksheet. You can, however, set different watermarks per sheet in a workbook. Some Excel settings also enable a different watermark on the first page.
-
-
Word header requirement
-
Watermarks in Word are added using page headers.
-
If a section lacks headers, the watermark won’t be applied.
-
Ensure all sections retain headers for watermarking to work.
-
RTF limitations in PowerPoint
-
Rich Text Format (RTF) watermarks are supported in most formats.
-
PowerPoint ignores RTF formatting — it only shows plain text.
-
Excel header/footer slot requirement
-
Excel enables six slots for headers/footers (three each at the top and the bottom).
-
Nutrient requires at least one slot without an image to apply a watermark.
-
If all slots are used with images, the watermark cannot be inserted.