
# PnP PowerShell Scripts for SharePoint Administration

This repository contains two PowerShell scripts designed to assist with SharePoint Online administration tasks using PnP.PowerShell:

1. PnP-VersionHistoryPurge_SetAutomaticTrim.ps1: Automates version history trimming and enables automatic version control on document libraries.
2. PnP-CreateCert.ps1: Creates and exports a self-signed certificate for AppOnly authentication with Entra ID.

---

Prerequisites

Before using these scripts, ensure the following:

1. PnP.PowerShell Module:
   - Install the PnP.PowerShell module:
     Install-Module -Name PnP.PowerShell -Force
   - Authenticate using either Delegated or AppOnly authentication.

2. Entra ID App Registration:
   - Register an app in Entra ID with the required permissions for SharePoint Online.
   - For AppOnly authentication, configure certificate-based authentication.

3. Permissions:
   - Ensure the app or user has the necessary permissions to manage SharePoint sites and libraries.

4. PowerShell Version:
   - Use PowerShell 5.1 or later.

---

Script 1: PnP-VersionHistoryPurge_SetAutomaticTrim.ps1

Description

This script enables automatic version trimming on SharePoint document libraries and performs a one-time cleanup to retain only the most recent versions of files. It supports both Delegated and AppOnly authentication modes.

Features

- Enables Auto Expiration Version Trim on document libraries.
- Deletes older file versions, retaining only the specified number of recent versions.
- Supports tenant-wide or single-site operations.
- Provides detailed logging and summary reports.
- Supports dry-run mode for testing without making changes.

Parameters

- -TenantName: The short name of your tenant (e.g., contoso).
- -ClientId: Entra ID App ID.
- -AuthMode: Authentication mode: Delegated (default) or AppOnly.
- -CertificateThumbprint: Thumbprint of the certificate for AppOnly authentication.
- -CertificatePath: Path to the PFX certificate file for AppOnly authentication.
- -CertificatePassword: SecureString password for the PFX file.
- -EnsureOwnerUpn: UPN of the user to ensure as Site Collection Admin in AppOnly mode.
- -CutoffDate: Process sites created on or before this date.
- -KeepLatestVersions: Number of recent versions to retain (default: 500).
- -DryRun: Simulates actions without making changes.
- -SingleSiteUrl: URL of a single site to process.
- -DetailedLog: Enables detailed logging for each library and file.
- -GenerateSummary: Generates a summary CSV report.
- -CleanupAdminAccess: Removes Site Collection Admin access granted during the script run.

Usage Examples

Example 1: Tenant-wide cleanup (Dry Run)
.\PnP-VersionHistoryPurge_SetAutomaticTrim.ps1 -TenantName "contoso" -ClientId "00000000-0000-0000-0000-000000000000" -CutoffDate '2025-08-26' -KeepLatestVersions 10 -DryRun -GenerateSummary

Example 2: Single site cleanup with detailed logging
.\PnP-VersionHistoryPurge_SetAutomaticTrim.ps1 -TenantName "contoso" -ClientId "00000000-0000-0000-0000-000000000000" -SingleSiteUrl "https://contoso.sharepoint.com/sites/Finance" -KeepLatestVersions 10 -DetailedLog -GenerateSummary

Example 3: AppOnly authentication with certificate
$certPwd = Read-Host -AsSecureString "Enter PFX password"
.\PnP-VersionHistoryPurge_SetAutomaticTrim.ps1 -TenantName "contoso" -ClientId "00000000-0000-0000-0000-000000000000" -AuthMode AppOnly -CertificatePath "C:\Certs\ContosoAppCert.pfx" -CertificatePassword $certPwd -CutoffDate '2025-08-26' -KeepLatestVersions 10 -GenerateSummary

---

Script 2: PnP-CreateCert.ps1

Description

This script creates a self-signed certificate for AppOnly authentication with Entra ID. The certificate can be used to authenticate PnP.PowerShell scripts.

Features

- Creates a self-signed certificate.
- Exports the certificate to a PFX file and a CER file.
- Outputs the certificate thumbprint for use in Entra ID App registrations.

Parameters

- -CertificateName: Friendly name for the certificate.
- -CertificatePath: Path to save the PFX and CER files.
- -CertificatePassword: SecureString password for the PFX file.
- -ValidityInYears: Number of years the certificate will be valid (default: 1 year).

Usage Example

$certPwd = Read-Host -AsSecureString "Enter password for the certificate"
.\PnP-CreateCert.ps1 -CertificateName "PnPAppOnlyCert" -CertificatePath "C:\Certs" -CertificatePassword $certPwd -ValidityInYears 2

Output

- PFX File: C:\Certs\PnPAppOnlyCert.pfx
- CER File: C:\Certs\PnPAppOnlyCert.cer
- Thumbprint: Displayed in the console.

---

Uploading the CER Certificate to Entra ID App Registration

To enable AppOnly authentication using the certificate created by PnP-CreateCert.ps1, follow these steps:

1. Sign in to the Microsoft Entra admin center: https://entra.microsoft.com
2. Navigate to "Applications" > "App registrations"
3. Select your registered app (matching the ClientId used in the script)
4. In the left menu, click "Certificates & secrets"
5. Click "Upload certificate"
6. Browse to and select the CER file (e.g., C:\Certs\PnPAppOnlyCert.cer)
7. Click "Add" to upload the certificate
8. Confirm the certificate appears in the list with its thumbprint

Once uploaded, the certificate is associated with the app and can be used for AppOnly authentication in your scripts.

---

Notes

- Always test scripts in a non-production environment before running them in production.
- Ensure you have appropriate permissions to execute these scripts.
- For AppOnly authentication, upload the CER file to your Entra ID App registration as described above.

---

Disclaimer

These scripts are provided "as-is" without any warranty. Use them at your own risk. The authors are not responsible for any damage caused by the use of these scripts.
