No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

PDF and Office 365

  • It is a great opportunity. Also add-on services not addressed like fax from outlook have been popular. The company that does it in Europe took so long to call me back that we had our own solution deployed with clients before hearing from them.

    Microsoft is giving us a great gift of business opportunities. To make the most of it, keeping your clients enthusiastic concerning Microsoft is important because this is the product you are selling.

    And the things that I say are not all hype, It really is a complex process. Those of us with large scale implementation know that sometimes it is as much a combination of politics, psychology, education and social engineering as it is computer science.

    0 out of 1 people found this post helpful.

  • Compliance standards have to do with ISO, HIPAA, and other standards because of the security requirements of the standards. Flawed PDF files can possibly compromise security making the solution of opening the PDF files in the browser break compliance with one or more standards that Microsoft is trying to guarantee.

    There are reasons for standards but to go into them would be outside of the scope of this thread.

  • I am trying to impart experience which could be useful for you.

  • Please show us in the marketing literature and / or the SLA where Microsoft promises that PDF's will open in the browser. Then we can better address this.

    That line of thinking would be more productive to answer the PDF question.

  • Martin,

    We're talking about opening a pdf in a browser. The only standard to be concerned about is usability. MS agrees- and has said it will be fixed. We just want to know when. 

  • That's what I have been talking about.

    Of course Microsoft agrees that it should be done as a usability issue.

    I am just saying that the delay is compliance and that experienced systems engineers will tell you that they have to complete due dilligence before simply changing a setting.

    If people do not have experience with large implementations, perhaps it is better too ask questions respectfully and learn from your elders.

  • Actually if you read the first post the question is why the setting has not been changed yet not just when. I am providing helpful information concerning just that.

  • I am the one with the happy customers. If you are not interested in how my customers with the PDF issue including law firms and medical establishments are still happy and understand why they have to wait, then you do not want happy customers. I think that the purpose of the entire forum is to approach these issues with an end to making our clients happy and managing issues.  

    Happy clients mean more money.

    Here I bring gifts to the table. Take freely.

  • Hi Josh,

    As to -why- you can do it in BPOS but not Office 365, it looks to be that when the product was initially designed, the choice not to include this feature was made per the KB article found here:

    As I said before, though, just because it not available at this time does not mean that it won't be in the future.  

  • Mike,

    Thanks for your reply.  It's nice to see a recent kb article is in place, I guess that's progress.  However, the article is not very helpful as it tells us what we already know.  The article is missing the following statements commonly found in kbs :

    (Include all that apply)


    Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.


    Microsoft is aware of this issue and is developing a solution.


    Microsoft is aware of the issue, and may address it in a future release.


    This document will be updated as additional information becomes available.

    For more information about how opening PDF files inline is a server-side risk, click the following...[Link to Proof of Risk]


    Since all of the above have been either stated or elluded to by MS reps in these forums, it would be nice to know the whole truth.




  • jbooker

    ...While we're hoplessly off topic, perhaps you can enlighten us as to what on earth ISO, HIPAA, or any other compliance standard have to do with opening a PDF files in the browser?

    Alternatively, we could get back on topic and someone could help us understand the specific server-side risk of opening pdf files in my client-side browser.


    The security issue is this.  You can run scripts inside a PDF and that script will run under the user's account.  This gives the script access to all of the content that that user has access to.  This is made worse with the addition of the Client Object Model in SharePoint 2010 which makes most actions scriptable via the ECMAscript OM Library.

  • bgulley,

    Thanks for the info.  I have two comments:

    1)  Can't Forefront scan pdfs on upload to restrict those which contain scripts?

    2)  Sounds like the risk is limited to the web application to which my account has permissions.  That plus the fact that browser file handling is a web app level option should mean that other users are insulated from the risk even though o365 is multi-tenant.

    That being the case, I'm happy to accept the risk for greater usuability.


  • It's kind of ironic that a co known for rampant security holes, decides to target the humble pdf. If they can build a "secure" viewer for Excel and Word files, why not pdf's? It couldn't have anything to do with the fact that they don't own the pdf format, could it?
  • Josh, you might accept the risk in detriment of usability in your own environment (on premise) for example, but Microsoft can't do that for all Office 365 as it will have a global impact.

  • Chris Valean

    Josh, you might accept the risk in detriment of usability in your own environment (on premise) for example, but Microsoft can't do that for all Office 365 as it will have a global impact.




    how will it have global impact if scripts run under my own security context and the browser file handling is set to permissive for my own web app and not your web app?