The corporate VPN has served organisations for decades, but the way we work has fundamentally changed. Microsoft Entra Private Access offers a Zero Trust alternative that works application by application instead of granting broad network access. What is the difference, how does the technology work, and how do you start a phased migration?
The corporate VPN has been the backbone of remote access for decades. Working from home, a remote office, or a café: the VPN creates an encrypted tunnel to the company network. Once connected, the user has access as if sitting in the office. That sounds convenient, and it is, but it is also the biggest security problem of the traditional network.
When an attacker obtains credentials or compromises a device with VPN access, they get the same full network access as the legitimate user. That lateral movement pattern — moving from one system to another across the corporate network — is a standard step in virtually every successful ransomware attack. In 2026, there is a structurally better alternative built natively into the Microsoft ecosystem: Entra Private Access.
Entra Private Access is part of Microsoft's Global Secure Access platform, which also includes Entra Internet Access for securing outbound internet traffic. Private Access specifically addresses the problem of internal application access. Instead of granting access to the entire corporate network, you define which specific applications or resources a user is allowed to reach, and under what conditions.
The paradigm shifts from network access to application access. An employee working from home who needs to reach an internal CRM system gets exactly that: access to that one system. Not to the file server, not to the production database, not to the router's management interface. This principle is called Zero Trust Network Access, abbreviated ZTNA.
A traditional VPN operates at the network level. Once the tunnel is established, the device receives an IP address on the corporate network and can in principle route traffic to any system reachable on that network. Control happens once, at tunnel setup.
Entra Private Access checks every connection attempt individually. Before each access grant, the system verifies identity via Entra ID, device status via Intune compliance policy, and optionally additional Conditional Access conditions such as location, sign-in risk, or the strength of the MFA method the user authenticated with. A compromised device connected to a VPN will not gain access with Private Access — even if the credentials are correct.
An additional operational benefit: IT administrators can see exactly who has access to which application, can revoke access per application or per user, and no longer need to manage broad network segments. Audits become simpler and the security profile improves demonstrably.
The core of Entra Private Access is the Private Network Connector, a lightweight agent you install on a Windows Server within your network. This can be a physical on-premises server or a virtual machine in Azure or your own datacentre. The connector establishes an outbound connection to Microsoft's Global Secure Access service. No inbound firewall rules or open ports are needed, and no publicly visible VPN gateway.
On the user's device runs the Global Secure Access client, a lightweight agent for Windows and macOS. When the user tries to reach an internal application, the client routes the traffic through Microsoft's secure network to the connector in your environment, and from there to the target application. From the application's perspective, the request appears to come from the local network.
A configuration uses two approaches. Quick Access gives you a broad access group quickly based on IP ranges or FQDN patterns, similar to a partial VPN for a specific subnet. Enterprise Application Access lets you define individual applications as secured access points, each with its own Conditional Access policies and assigned user groups. The second approach gives you the most precise control.
A capability that frequently surprises IT administrators is Kerberos support in Entra Private Access. Many internal business applications use Windows-integrated authentication via Kerberos: the user logs in once to their computer and does not need to enter a separate password for internal systems. With a traditional VPN this works because the device is domain-joined. For external access without a VPN, this was not possible until recently.
Entra Private Access resolves this via Kerberos Cloud Trust. Your Entra environment acts as an intermediary and issues Kerberos tickets on behalf of users signed in via Entra ID. Employees can log in to internal SharePoint sites, intranet applications, or legacy web apps from home without an extra password and without a VPN. The experience is identical to working in the office.
Entra Private Access is part of the Microsoft Entra Suite, a bundle that also includes Entra Internet Access, Entra ID Governance, and Entra ID Protection. The Entra Suite is available as an add-on on top of existing Microsoft 365 licences. Organisations with Microsoft 365 E5 Security or the Microsoft 365 E7 Frontier Suite have access through those bundles.
Technical requirements: Windows Server 2016 or newer for the connector, Entra ID P1 or P2 as the identity foundation, and Intune or a compatible MDM solution for device compliance. The Global Secure Access client supports Windows 10 and 11 and macOS Ventura and later.
You do not need to decommission the VPN all at once. The most successful approach is a phased migration where both systems run in parallel temporarily. Start with the applications used most from external locations and where security benefits most from granular control, such as access to the ERP system, the HR application, or the intranet.
A practical starting point in four steps. First, install a Private Network Connector on a Windows Server in your network and link it to your Entra tenant. Second, create an Enterprise Application profile for your most-used internal application. Third, attach a Conditional Access policy that requires MFA and device compliance. Fourth, assign the configuration to a pilot group of five to ten employees and evaluate after two weeks before rolling out further.
Applications you expose through Entra Private Access are assigned per user group, just like cloud apps in Entra ID. The overview of who has access to what becomes fully transparent and auditable — something that is rarely the case with a traditional VPN.
Not every situation lends itself immediately to Entra Private Access. Cases where VPN remains the best choice for now include bulk transfers of large files to on-premises file servers via SMB, specific legacy protocols that do not run on TCP or UDP, and operational technology networks with strict segmentation requirements. For most office workers who need access to applications and web services, Entra Private Access provides a more secure and manageable alternative that also scales better as the organisation grows.
Want an analysis of your current VPN usage and a migration plan towards Zero Trust Network Access? Zarioh helps organisations with the full Entra environment, from identity management to network access. Contact us for a no-obligation conversation.
