Table of Contents
Example of Adobe-Microsoft Co-operation Around PDFs
Microsoft’s December 5 announcement that tenants can opt to use a new Adobe integration with Teams to open PDFs instead of the built-in Teams viewer is evidence of the close relationship between the two companies around PDF processing in Microsoft 365. PDFs are hugely important within Microsoft 365 as a means of sharing information generated both inside and outside organizations. My guess is that Office documents and PDFs cover 97% of all files stored in SharePoint Online and OneDrive for Business.
Earlier examples of Microsoft-Adobe co-operation include:
- Adobe’s support for management of sensitivity labels in the paid versions of Adobe Acrobat. This means that users can apply or update sensitivity labels in the app instead of having to do so externally.
- Office desktop apps can generate protected PDFs from documents with sensitivity labels that encrypt the content. Users who open the protected PDFs must have the right to open the original document.
- The Edge browser does a good job of reading PDF content protected with sensitivity labels.
The details of how to configure Teams to make the change are available online and don’t need to be repeated here. The new integration is available for the Teams desktop and browser clients but not for Teams mobile.
Adobe’s Enterprise Azure AD Apps
The interesting thing about the integration is the Adobe’s use of an enterprise Azure AD app with a bunch of delegate Graph API permissions (Figure 1). Part of implementing the integration involves granting consent for these permissions, which allow the app to read details about the signed-in user and access their files. The permissions are needed to make the integration work.
My tenant now boasts three Adobe enterprise apps (Figure 2). The Adobe Document Cloud app has similar permissions and is used to open PDF files stored in SharePoint Online in Adobe’s document cloud. The Adobe Reader app has permissions to interact with Microsoft Information Protection. It’s the oldest app and is used by an integration between the old Azure Information Protection client and Adobe Acrobat. Interestingly, the newest app does not use the Adobe logo while the older two do.
The existence of multiple Adobe enterprise apps in Azure AD underlines the need for tenant administrators to know what function enterprise apps serve. An enterprise app is a tenant-specific instance of an application object. In this case, the three apps are owned by Adobe, so the enterprise app is an instance of those apps installed into my tenant. The service principal associated with each app determines who can use the app and what they can do.
Opening PDFs from Teams
The big difference about opening a PDF using the Adobe integration instead of the Teams viewer is that the app extracts the file from Teams (or rather, SharePoint Online or OneDrive for Business) and copies it for processing in Adobe Document Cloud (or what’s referred to as “Adobe’s signature PDF experience”). Figure 3 shows a typical example of reading a PDF in Adobe Document Cloud.
Users don’t need licenses to view PDFs and can sign into Adobe Document Cloud with a free account to annotate, comment, or apply sticky notes to PDFs. Users with paid-for licenses can access other features. For more information, see Adobe’s FAQ.
When the integration is active, users have two options to open a PDF from Teams (Figure 4). Open in Adobe Acrobat means “open in Adobe Document Cloud.” It’s interesting that you cannot open a PDF protected with sensitivity label encryption through Adobe Document Cloud. This is likely because the Document Cloud cannot open a protected PDF because it cannot prove that it’s doing so on behalf of a user with rights to access the content. In this situation, you can open the protected PDF with a browser or download a local copy and open it with Adobe Acrobat or another reader that supports protected content.
If you want to use the Teams viewer with a PDF, you can use the Preview option. This can’t open protected PDFs either.
Microsoft notes that Adobe removes the PDFs copied to Document Cloud within 24 hours. According to Adobe, PDFs remain encrypted in transit and at rest during cloud processing.
Sensitivity Labels Shown in Send Link Dialog
Another recent change associated with sensitivity labels is that the send link dialog used by SharePoint Online and OneDrive for Business when users share files with others now includes the sensitivity label (Figure 5), if a file has an assigned label. This change is covered in Microsoft 365 notification MC481831 (December 8). Microsoft didn’t give any heads-up before introducing the change, but it’s a good one that helps people to understand the nature of the information they share.
The new Send link dialog should now be available in all tenants. It’s an example of how a small change makes a big difference.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.