UniFi Identity vs Identity Enterprise - When the Free Version Is Actually Enough
Summary
Ubiquiti spreads who can log in and how sites are grouped across several names: Site Manager, Organizations, Fabrics, UniFi Identity (free, tied to your gear), and Identity Enterprise (paid). This writeup explains what each layer does, how they differ, and when the free stack is enough—without assuming you already speak Ubiquiti’s product vocabulary.
Details
Why this exists
Ubiquiti’s docs and UI use overlapping terms. In practice you care about three questions:
- Where do I see all my consoles? → mostly Site Manager (
unifi.ui.com). - How do I treat several sites as one “company”? → Organizations and, for identity-heavy setups, Fabrics.
- How do users sign in (Wi‑Fi, VPN, doors, apps)? → UniFi Identity (free, with your org/console) vs Identity Enterprise (subscription, more features).
Site Manager (the dashboard)
Site Manager is the cloud portal where every UniFi deployment you own or can administer shows up. Think of it as the master remote control: firmware, alerts, remote access, and (depending on your setup) APIs and cross-site tools.
- You can have consoles listed there that are only under your personal account—and others that sit inside a company organization.
- If someone adopts a console with a different UI account flow, that console may land under Site Manager for the org owner but not automatically inside a named site bucket within the organization. Sorting that out is an admin/ownership exercise, not a bug in your APs.
Plain English: Site Manager = “all my UniFi stuff in one browser.” It is not the same thing as a single merged network.
Organizations (the company shell)
An Organization is Ubiquiti’s way of saying “this group of sites belongs to one business.” You get things like org-level admins, branding, and (when enabled) shared identity workflows. Access is often via something like yourcompany.ui.com in addition to the main UniFi portal.
Plain English: Organization = the legal/team wrapper around multiple physical locations.
Fabrics (shared people and policies across sites)
Fabrics sit on top of Site Manager/Organizations for deployments that want one roster of people and roles stretched across several sites. Documentation describes Fabrics as grouping sites under a shared admin and identity model: things like tying in an external identity provider, templates, and consolidated people management so you are not re-creating the same users on every Cloud Gateway.
Fabrics lean on newer UniFi OS versions and features that show up as the stack evolves (Ubiquiti often labels parts of this as Early Access).
Plain English: Fabric = “these sites share the same employee list and rules,” not “one Dream Machine runs two buildings.”
One gateway = one network site (the gap Ubiquiti rarely states plainly)
A UDM Pro, UDM SE, or similar Cloud Gateway is built to run one UniFi “site” (one Network application + the gear behind that gateway). The gateway at your office does not adopt the switches and APs that are physically plugged into a different gateway at another address.
What you can do is group those gateways under one Organization (and optionally a Fabric) so that identity, admins, and policies feel unified—even though each box still owns its own LAN.
Plain English: You get logical multi-site identity and management; you do not get one console magically managing another site’s wired devices.
UniFi Identity (free) vs Identity Enterprise (paid)
Both deal with accounts, sign-in, and access to UniFi services (Wi‑Fi, VPN, doors, etc.). The split is scope and how fancy the identity features are.
| Topic | UniFi Identity (free, with org/console) | Identity Enterprise |
|---|---|---|
| Billing | No extra subscription for the core org/Identity Hub style features (your notes: no per-Dream-Machine charge for Identity + Organization Manager). | Paid per user (monthly/annual). |
| Where it “lives” | Tied to your UniFi Organization and consoles—Ubiquiti still hosts the portal, but you are not buying a separate enterprise SKU. | Subscription service tier with additional cloud-side capabilities. |
| Directories / IdP | Support for common directories (e.g. AD/LDAP-style, Entra ID, Google Workspace, JumpCloud LDAP—exact menus change by version). | Broader packaged integrations (e.g. Microsoft 365, Google Workspace, JumpCloud, AD/LDAP, CSV import—see Ubiquiti’s comparison articles). |
| Features | Solid basics: IAM-style user management, SSO/MFA in the sense Ubiquiti exposes for that tier, multi-site when paired with Org/Fabric. | Heavier toolkit: adaptive MFA, passwordless options, more SSO app plumbing, MDM/workflows, and similar “enterprise IAM” items—check their matrix for your console models. |
When is the free side “actually enough”?
- Several UDM Pros / UDM SEs at different addresses, all under one Organization, with directory sync and shared admins—your testing notes match this: Identity + Organization Manager are free and can span multiple gateways.
- You do not need Identity Enterprise’s extra items (adaptive MFA, broad SSO app catalog, MDM, workflow automation) or you are fine meeting those needs elsewhere.
- You accept that each site remains its own network; you are standardizing people and policy, not merging LANs.
When to seriously look at Enterprise
- Compliance or IT standards demand Ubiquiti’s enterprise-tier features (not just “we have MFA somewhere”).
- You want the Identity Enterprise feature set and billing model as Ubiquiti documents it for your user count and consoles.
Closing thoughts
Ubiquiti’s naming makes it easy to buy the wrong mental model: Site Manager is not a single network, Fabric is not one mega-controller, and Identity Enterprise is not required just to have more than one Dream Machine under one company. For many small and mid-size deployments, Organization + Fabric (where you use it) + free Identity is enough—as long as you plan for one gateway per physical network and use the org layer for people and access, not for impossible controller merging.
If a console shows up under Site Manager but outside the site group you expected, treat it as an ownership and onboarding cleanup (who adopted the device, which UI account owns it), not as a sign that you must upgrade to Enterprise.
Product lines change; always confirm current IdP support and feature matrices on Ubiquiti’s site before you commit a design to a customer.
Sources
Official Ubiquiti Help Center and related pages (verify before relying in production):
- UniFi Remote Management via Site Manager
- Managing Your UniFi Organization
- Getting Started with UniFi Fabrics / Creating an Organization
- Manage UniFi Organization Users and Admins (Fabric people, roles, permissions)
- Creating an Identity Hub in Your Organization / IdP binding
- Upgrading to UniFi Identity Enterprise
- UniFi Identity Enterprise – Plan and Billing
- Identity Enterprise help section (overview articles)
- UniFi Identity Endpoint user guide (Identity Hub)
- UniFi Identity Enterprise and Identity Enterprise Endpoints
Community discussion (not official spec): Identity Enterprise vs. Identity (Ubiquiti Community).