UCC Site Collection Deployment — Sites.Selected Permission Model

Important

This article assumes you are using the Site Collection model with Subsites and an Entra ID Formerly known as Azure Active Directory (or Azure AD, or AAD) application with SharePoint — Sites.Selected and Graph — Sites.SelectedApplication permissions only. If your Entra ID app has Sites.FullControl.All, refer to the standard deployment guide instead.

Introduction

In environments where full SharePoint permissions cannot be granted to a deployment app, AnywhereNow supports a reduced-permission model using Microsoft's Sites.Selected permission scope. This scope limits the app's access to only the explicitly granted site collection, rather than the entire tenant.

This model involves two distinct roles:

Role	Responsibility
SharePoint Administrator	One-time environment preparation
Delegated Engineer	All ongoing UCC A Unified Contact Center, or UCC, is a queue of interactions (voice, email, IM, etc.) that are handled by Agents. Each UCC has its own settings, IVR menus and Agents. Agents can belong to one or several UCCs and can have multiple skills (competencies). A UCC can be visualized as a contact center “micro service”. Customers can utilize one UCC (e.g. a global helpdesk), a few UCC’s (e.g. for each department or regional office) or hundreds of UCC’s (e.g. for each bed at a hospital). They are interconnected and can all be managed from one central location. provisioning and management

Role

Responsibility

SharePoint Administrator

One-time environment preparation

Delegated Engineer

All ongoing UCC A Unified Contact Center, or UCC, is a queue of interactions (voice, email, IM, etc.) that are handled by Agents. Each UCC has its own settings, IVR menus and Agents. Agents can belong to one or several UCCs and can have multiple skills (competencies). A UCC can be visualized as a contact center “micro service”. Customers can utilize one UCC (e.g. a global helpdesk), a few UCC’s (e.g. for each department or regional office) or hundreds of UCC’s (e.g. for each bed at a hospital). They are interconnected and can all be managed from one central location. provisioning and management

Once the administrator has completed the one-time setup, they are not required for any subsequent operations. The engineer operates entirely within the granted site collection using the app credentials.

Prerequisites

An Entra ID application registered with the following API permissions:
- SharePoint — Sites.Selected (Application)
- Microsoft Graph — Sites.Selected (Application)
A certificate (.pfx) associated with the Entra ID application
PowerShell 7.4.6 or higher
UCC Site Creator package v8.4.1.8 or higher

Tip You may already have an Entra ID app for previous AnywhereNow installation usage. If so, check whether Sites.Selected can be added to that app instead of registering a new one.

Part 1 — SharePoint Administrator (One-Time Setup)

These steps are performed once by a SharePoint Administrator before handing over to the engineer. Admin access is not required after this point.

Step 1 — Create the root site collection

Create the site collection that will host the UCC deployment manually in the SharePoint Admin Center.

Go to https://<tenant>-admin.sharepoint.com
Navigate to Sites > Active sites > Create
Choose Communication site
Set the URL to the intended UCC root — for example https://<tenant>.sharepoint.com/sites/<site-name>
Complete creation and wait for provisioning to finish

Note The site collection must exist before the engineer can run any scripts. This is the step that normally requires tenant admin rights — the engineer's app cannot create site collections with Sites.Selected permissions only.

Step 2 — Enable the site collection App Catalog

Connect to the SharePoint Admin Center and run:

Copy

PowerShell

Connect-PnPOnline `
  -Url "https://<tenant>-admin.sharepoint.com" `
  -Interactive

Add-PnPSiteCollectionAppCatalog `
  -Site "https://<tenant>.sharepoint.com/sites/<site-name>"

Step 3 — Grant the Entra app access to the site collection

Copy

PowerShell

Grant-PnPAzureADAppSitePermission `
  -AppId "<entra-app-client-id>" `
  -DisplayName "<display-name-for-the-app>" `
  -Site "https://<tenant>.sharepoint.com/sites/<site-name>" `
  -Permissions Write

Note This grant covers the root site collection and all subsites within it. No additional grants are needed when new UCC subsites are added later.

Step 4 — Hand over to the engineer

Provide the engineer with the following:

Item	Description
`ClientId`	The Application (client) ID of the Entra ID app
`TenantId`	The Directory (tenant) ID from Entra ID
`CertificatePath`	Path to the `.pfx` certificate file
`CertificatePassword`	The certificate password
`SiteCollectionUrl`	The root site collection URL created in Step 1

The administrator is not involved in any further steps.

Part 2 — Delegated Engineer (First Deployment)

These steps are run once when setting up a new UCC site collection.

Step 5 — Deploy the SPFx package

Uploads the UCC Dashboard SPFx package to the site collection App Catalog and installs it on any already-provisioned subsites.

Copy

PowerShell

$certPassword = Read-Host -Prompt "Enter certificate password" -AsSecureString

.\Deploy-UccDashboard.ps1 `
  -SiteCollectionAppCatalogUrl "https://<tenant>.sharepoint.com/sites/<site-name>" `
  -ClientId "<entra-app-client-id>" `
  -CertificatePath "<path-to-cert.pfx>" `
  -CertificatePassword $certPassword

Average time to run: 30 seconds – 1 minute.

Step 6 — Initialize the site collection and provision UCC sites

Configures the root site collection and processes any pending UCC site requests from the A365_UCC_Creator list.

Copy

PowerShell

.\UCC.Site.Creator.ps1 `
  -paramSiteCollectionUrl "https://<tenant>.sharepoint.com/sites/<site-name>" `
  -paramSiteOwner "<owner-upn>@<tenant>.onmicrosoft.com" `
  -paramCertificateAppId "<entra-app-client-id>" `
  -paramCertificateTenantId "<entra-tenant-id>" `
  -paramCertificatePath "<path-to-cert.pfx>" `
  -paramCertificatePassword $certPassword `
  -UseSubSites `
  -UseSiteCollectionAppCatalog `
  -SiteCollectionPreCreated

Important The -SiteCollectionPreCreated switch is required when using Sites.Selected permissions. It tells the script that the root site collection was already created by the administrator in Step 1. Without this switch the script will attempt to create the site collection itself, which requires tenant admin permissions and will fail.

Average time to run: 15 – 30 minutes for the first site (includes list provisioning).

Part 3 — Delegated Engineer (Ongoing Operations)

These steps are repeated as needed after the initial deployment.

Adding a new UCC subsite

A new UCC request appears in the A365_UCC_Creator list with status Requested. Run the same command as Step 6 — the script picks up all pending requests automatically.

Copy

PowerShell

.\UCC.Site.Creator.ps1 `
  -paramSiteCollectionUrl "https://<tenant>.sharepoint.com/sites/<site-name>" `
  -paramSiteOwner "<owner-upn>@<tenant>.onmicrosoft.com" `
  -paramCertificateAppId "<entra-app-client-id>" `
  -paramCertificateTenantId "<entra-tenant-id>" `
  -paramCertificatePath "<path-to-cert.pfx>" `
  -paramCertificatePassword $certPassword `
  -UseSubSites `
  -UseSiteCollectionAppCatalog `
  -SiteCollectionPreCreated

Average time to run: 15 – 30 minutes per new UCC subsite.

Updating the SPFx package (new UCC release)

Re-run Step 5 with -Force. The script re-uploads the package and updates the app on all provisioned subsites automatically.

Copy

PowerShell

.\Deploy-UccDashboard.ps1 `
  -SiteCollectionAppCatalogUrl "https://<tenant>.sharepoint.com/sites/<site-name>" `
  -ClientId "<entra-app-client-id>" `
  -CertificatePath "<path-to-cert.pfx>" `
  -CertificatePassword $certPassword `
  -Force

Average time to run: 30 seconds – 1 minute.

Modernizing existing UCC sites

Run against a CSV file containing the URLs of all sites in the deployment. See Batch Modernization for guidance on preparing the CSV.

Copy

PowerShell

.\Batch-ModernizeUccSites.ps1 `
  -InputCsv ".\UccSites.csv" `
  -ClientId "<entra-app-client-id>" `
  -CertificatePath "<path-to-cert.pfx>" `
  -CertificatePassword $certPassword `
  -Tenant "<entra-tenant-id>" `
  -Mode Modernize `
  -UseSiteCollectionAppCatalog

Average time to run: 30 seconds – 1 minute per site.

Reference

Parameter placeholders

Placeholder	Description
`<tenant>`	Your Microsoft 365 tenant name (e.g. `contoso`)
`<site-name>`	The site collection path segment (e.g. `ucc-production`)
`<entra-app-client-id>`	The Application (client) ID of the Entra ID app
`<entra-tenant-id>`	The Directory (tenant) ID from Entra ID
`<path-to-cert.pfx>`	Full or relative path to the certificate file
`<owner-upn>`	UPN In Windows Active Directory, a User Principal Name (UPN) is the name of a system user in an email address 'like' format. A UPN (for example: john.doe@domain.com) consists of the user name (logon name), separator (the @ symbol), and domain name (UPN suffix). of the site owner account
`$certPassword`	SecureString — captured via `Read-Host -AsSecureString`

Which scripts work with Sites.Selected

Script / Feature	Sites.Selected
Tenant App Catalog deployment	❌ Not supported
Site collection App Catalog deployment	✅ Supported
Root site collection creation	❌ Not supported — admin must pre-create (Step 1)
UCC subsite provisioning	✅ Supported
Batch modernization (CSV mode)	✅ Supported
Batch modernization (Discover mode)	❌ Not supported

Note Day-to-day UCC operations by agents and supervisors do not use this Entra ID app at all. The app is only used by the engineer when running the deployment and management scripts above.