The way multi-site UniFi management worked before Fabrics was simple and kind of painful. You had Site Manager, which gave you a unified view of all your locations and let you jump between consoles without juggling separate logins. That part was genuinely good. But the configuration work itself was still per-site. You couldn’t push a firewall rule or a WiFi policy change across 40 locations in one action. You logged into each one.

For a small footprint, that’s fine. For an MSP managing dozens of dental and orthodontic practices across the country, it adds up fast. Every new location meant sitting through the same sequence of configuration steps. Every policy change meant doing it over. The only way to maintain consistency was discipline and documentation, and those are fragile.

UniFi Fabrics, announced in January and officially moved to the stable branch in April 2026, is Ubiquiti’s answer to that. It’s a management layer built on top of Site Manager that lets multiple UniFi sites be grouped under a shared administrative and identity model, with centralized role-based access control, identity provider integration, policy and device templates, and more. The short version: a single control plane that treats all your sites as one system instead of a collection of independent deployments.

Here’s what that actually means in practice.

The Orchestration Engine: Blueprints and Canvas

Blueprints and Canvas are the two main tools inside the Orchestration Engine. Blueprints handle initial site deployment. You pre-provision a new site in the Fabric, and installers receive a Magic Link with instructions to bring the site up against your pre-configured settings, including custom WAN settings per site. Canvas handles ongoing configuration compliance. It contains settings that are synced to site devices and can’t be modified from within the individual site’s Network application.

That second part is where the real operational value is. Canvas settings are enforced. You configure a firewall policy, a guest network isolation rule, or a DNS server at the Fabric level and it stays that way across every site. A technician working inside a specific site’s console can’t accidentally (or intentionally) drift from the standard. For an MSP environment where you’re handing different contractors access to different sites, that’s not just convenient, it’s a compliance consideration.

Blueprints are equally useful on the deployment side. New sites can be deployed rapidly while maintaining consistent organization configuration and security standards. Scaling infrastructure is simplified through device templates and policy assignments that enable true Zero Touch Provisioning. In practice this means a new practice location can come online with your standard VLAN setup, your firewall policies, your SSID configuration, and your monitoring integrations already applied, before anyone on your team logs in. The installer follows the link, connects the hardware, and the site comes up in your Fabric.

RBAC and Identity

Fabrics provide a way to centrally manage people and assign granular permissions across multiple UniFi sites. By defining access at the Fabric level, administrators can scale both user and administrative access without duplicating configuration per site.

The permission model splits into two categories. Admin permissions control access to the UniFi management interface, ranging from full access to view-only or application-specific grants. User permissions (through the UniFi Endpoint app) cover things like One-Click WiFi, One-Click VPN, and Smart Door Access.

For MSPs, the more relevant feature is IdP integration. Administrators can bind leading identity providers, apply user-based policies, and deliver secure access through a seamless UniFi Identity experience across platforms. Security is enforced by identity, not location-specific policies. Microsoft Entra is explicitly supported. This means employee onboarding and offboarding in your client’s directory automatically propagates to UniFi access. A new employee gets provisioned in Entra, and their UniFi permissions appear. Someone leaves, their access is gone. The Identity Sync Service runs on a designated console called the Master Site, which acts as the orchestrator for people and permissions across all sites in the Fabric.

Hardware requirement worth noting: IdP binding requires one of the following consoles to be present in the Fabric: UDM Pro, UDM SE, UDM Pro Max, EFG, UNVR Pro, ENVR, or ENVR Core. UniFi OS v4.4 or newer is required. If you’re running older hardware or lower-end gateways as your primary console, plan for that before you start.

The API and Automation Layer

The Fabric API extends the platform to developers and integrators with complete documentation, Ansible support, and unified access to every connected environment through a single interface.

This one is early days, but the direction is clear. A single API endpoint that covers your entire deployment is a different thing than site-by-site API calls. If you’re building automation around UniFi or integrating it with something like N-able or a PSA tool, the Fabric API is where that work will eventually live.

The No-Licensing Part

Site Manager redefines how enterprise IT is built and managed, bringing together power, simplicity, and scalability without added licensing complexity. The future of enterprise IT is unified, scalable, and completely license-free with UniFi and the new Site Manager.

That’s Ubiquiti’s marketing language, but it’s accurate. There is no per-site licensing, no controller hosting fee, no tier you need to upgrade to in order to use Fabrics. That’s a real differentiator. The platforms that compete with this level of multi-site management capability charge for it, usually on a per-device or per-site basis that compounds fast across a large fleet.

Getting Started

Fabrics is available now on the stable branch. To get started, navigate to Site Manager, select or create a Fabric, go to Settings > Identity, and enable Consolidated People Management. From there you can optionally bind an Identity Provider for Zero-Trust networking and automated employee onboarding and offboarding.

The recommended approach (and worth doing before you get deep into it) is to make sure a single company-managed UI account owns all your sites. It’s not strictly required to use Fabrics, but it simplifies RBAC and is required for the Site Magic SD-WAN feature if that’s on your roadmap.

The Ubiquiti Academy also has material covering how Fabrics is deployed and operated at scale. If you’re setting this up for the first time across a large fleet, start there.

Resources:

• Introducing UniFi Fabrics: https://blog.ui.com/article/introducing-unifi-fabrics

• The New Site Manager, Now Official: https://blog.ui.com/article/officially-bringing-unifi-fabrics

• Getting Started with UniFi Fabrics (Help Center): https://help.ui.com/hc/en-us/articles/30979808349463-Getting-Started-with-UniFi-Fabrics

• Managing Fabric People, Roles, and Permissions: https://help.ui.com/hc/en-us/articles/31557407384343-Managing-UniFi-Fabric-People-Roles-and-Permissions