Enterprise VPN infrastructure costs the average 5,000-user organisation $400,000–$900,000 per year in vendor licenses, firewall hardware, and operational overhead. Microsoft Entra Private Access — the Zero Trust Network Access (ZTNA) component of Microsoft's Security Service Edge (SSE) platform — is priced at $3/user/month as a standalone add-on, or bundled into the Entra Suite at $12/user/month. For organisations already investing in the Microsoft identity stack, the licensing economics are difficult to ignore. But the numbers only work if you can actually decommission the legacy VPN — a transition that 60% of enterprises underestimate in complexity.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →What Is Microsoft Global Secure Access?
Microsoft Global Secure Access (GSA) is Microsoft's Security Service Edge (SSE) platform, launched generally in 2024. It sits within the Microsoft Entra product family and consists of two distinct services that organisations can licence separately or together:
| Component | Function | Replaces | Standalone Price |
|---|---|---|---|
| Microsoft Entra Private Access | Zero Trust Network Access (ZTNA) for private corporate resources | VPN, MPLS private access | $3/user/month |
| Microsoft Entra Internet Access | Secure Web Gateway (SWG) + Microsoft traffic profile | Web proxy, on-premises SWG | $5/user/month |
| Entra Suite (both + more) | Full SSE + full Entra identity stack | Multiple point solutions | $12/user/month |
Entra Private Access implements a connector-based architecture: lightweight connectors are deployed in your private network, applications are registered as "Enterprise Applications" in Entra ID, and user access is brokered through Microsoft's global PoP network. Conditional Access policies control every connection attempt — meaning every access decision evaluates device compliance, user identity, risk level, and network location before granting access.
This is structurally different from split-tunnel VPN where once a user connects, lateral movement within the private network is unrestricted. Private Access enforces per-application, per-session Zero Trust verification.
Licensing Requirements: What You Actually Need
This is where enterprises consistently make expensive mistakes. Entra Private Access is not included in any standard M365 or Office 365 plan, including E5. Here is the precise licensing stack required:
| Requirement | Minimum Licence | Notes |
|---|---|---|
| Entra Private Access core | Entra Private Access add-on ($3/user/month) or Entra Suite ($12/user/month) | Not in E3/E5/F3 |
| Conditional Access integration | Entra ID P1 (included in M365 E3, Entra Suite) | Required for policy enforcement |
| Global Secure Access client | Included at no extra cost | Windows, macOS, iOS, Android |
| Private Network Connector | Included at no extra cost | Deployed on Windows Server in your network |
| Quick Access (legacy app support) | Entra Private Access licence | For IP/FQDN-based access rules |
| Per-App Access (ZTNA mode) | Entra Private Access licence + Entra ID P1 | Full zero trust per-app enforcement |
| Entra Internet Access (optional) | Separate add-on ($5/user/month) or Entra Suite | Not required for Private Access |
Critical clarification: If your users already have M365 E3 or E5, they have Entra ID P1 or P2. The only incremental cost is the Entra Private Access add-on at $3/user/month. For a 1,000-user deployment, that is $36,000/year in incremental Microsoft licensing. Whether that replaces your existing VPN costs depends on your current VPN vendor agreement and infrastructure model.
Entra Suite Licensing: The Bundle Economics
The Entra Suite at $12/user/month bundles five products that would cost significantly more standalone. This is the most important pricing decision for any organisation evaluating Entra Private Access:
| Product | Standalone Price | Included in Entra Suite |
|---|---|---|
| Entra ID P2 | $9/user/month (or via E5) | ✓ |
| Entra Private Access | $3/user/month | ✓ |
| Entra Internet Access | $5/user/month | ✓ |
| Entra ID Governance | $7/user/month | ✓ |
| Microsoft Entra Verified ID (Premium) | $3/user/month | ✓ |
| Microsoft Entra Permissions Management | $8/resource/month (different unit) | ✓ (limited) |
| Total standalone (approx.) | $27+/user/month | Suite: $12/user/month |
The Entra Suite delivers approximately 55% savings against standalone list pricing. However, the value depends on whether you need the full stack. If you only need Private Access and already have P2 via E5, the standalone $3 add-on is the more rational purchase. If you need Private Access, Internet Access, and Identity Governance, the Suite is compelling at nearly every scale.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →VPN Replacement TCO: The Real Numbers
The business case for Entra Private Access is typically built on VPN displacement. Here is a realistic total cost of ownership comparison for a 2,000-user hybrid workforce over three years:
Traditional Enterprise VPN (3-Year TCO — 2,000 users)
| Cost Component | Year 1 | Year 2 | Year 3 | 3-Year Total |
|---|---|---|---|---|
| VPN vendor licensing | $80,000 | $84,000 | $88,000 | $252,000 |
| Firewall/appliance (amortised) | $60,000 | $20,000 | $20,000 | $100,000 |
| Operations & support (0.5 FTE) | $50,000 | $52,000 | $54,000 | $156,000 |
| Incident response / remediation | $25,000 | $25,000 | $25,000 | $75,000 |
| VPN Total | $215,000 | $181,000 | $187,000 | $583,000 |
Entra Private Access (3-Year TCO — 2,000 users)
| Cost Component | Year 1 | Year 2 | Year 3 | 3-Year Total |
|---|---|---|---|---|
| Entra Private Access licensing ($3/user/month) | $72,000 | $72,000 | $72,000 | $216,000 |
| Implementation (connectors, migration) | $40,000 | $5,000 | $5,000 | $50,000 |
| Operations (reduced — cloud-managed) | $20,000 | $20,000 | $20,000 | $60,000 |
| Private Access Total | $132,000 | $97,000 | $97,000 | $326,000 |
3-Year saving: $257,000 (44% reduction) — and this scenario does not account for the risk reduction value of eliminating broad network access in favour of per-app Zero Trust verification. One VPN-originated lateral movement incident can exceed the 3-year cost of Private Access licensing.
Field observation: The TCO case holds reliably for organisations over 500 users with dedicated VPN infrastructure. Below 200 users running VPN via firewall UTM bundles, the savings are marginal and the implementation cost can exceed 18-month licensing ROI. Size matters for this decision.
Entra Private Access vs Competing ZTNA Solutions
Microsoft is competing with established ZTNA players. Understanding the licensing comparison helps during EA negotiations — Microsoft will sharpen its price when it knows you have evaluated alternatives:
| Vendor | Product | Typical Enterprise Price | Microsoft Stack Advantage |
|---|---|---|---|
| Zscaler | Zscaler Private Access (ZPA) | $5–$8/user/month | Entra PA at $3 is 40–60% less |
| Palo Alto Networks | Prisma Access | $8–$15/user/month | Entra Suite at $12 is 20–60% less for full SSE |
| Cloudflare | Zero Trust (Teams) | $3–$7/user/month | Comparable price; Entra wins on M365 integration |
| Cisco | Cisco Secure Access (SSE) | $6–$10/user/month | Entra at $3 is 50–70% less for ZTNA-only |
| Ivanti | Ivanti Neurons for ZTA | $4–$6/user/month | Slight Entra advantage; comparable range |
The competitive pricing advantage is real, but it is only actionable when you present it to Microsoft. We consistently observe 15–22% additional discounts on Entra Suite when the procurement team demonstrates a live Zscaler or Palo Alto evaluation. Microsoft's commercial team is authorised to respond to documented competitive situations.
EA Negotiation Levers for Entra Private Access
Lever 1: Competitive Documentation
If you have received a formal proposal from Zscaler, Palo Alto, or Cloudflare, provide it to your Microsoft account team. Microsoft's response is typically a 15–25% immediate discount on the Entra Suite, plus deployment support credits. The key is documentation — a verbal "we're talking to others" carries no weight; a PDF proposal does.
Lever 2: Entra Suite vs Standalone Negotiation
If you need only Private Access (not Internet Access or Governance), the standalone $3/user/month is rational. But use the Entra Suite as negotiating leverage: tell Microsoft you are evaluating whether to licence the full Suite. They will typically offer the Suite at a price that makes the standalone look less attractive — effectively increasing your commitment value while appearing to give you a better deal. Know what you actually need before this conversation.
Lever 3: VPN Decommission Commitment
Microsoft values VPN displacement for its security reference value. Offer a written commitment to decommission named VPN infrastructure within 18 months of Private Access deployment in exchange for year-one pricing concessions or free deployment credits. FastTrack deployment support is available for qualifying customers and reduces implementation cost by $20,000–$60,000.
Lever 4: Three-Year Term with Year-One Staging
Negotiate a three-year EA commitment with staged deployment: licence 30% of users in year one (the technical pilot population), 100% from year two. This reduces year-one cash outlay while locking in a multi-year committed price. Microsoft's commercial team is routinely authorised to approve this structure for deals over $150,000 total contract value.
📄 Free Guide: Microsoft Identity & Zero Trust Licensing Guide
Complete framework covering Entra Private Access, Entra Suite, Global Secure Access, and Zero Trust licensing strategy for enterprise buyers.
Download Free Guide →Deployment Architecture and Licensing Boundaries
Connector Architecture
Private Access connectors are deployed on Windows Server 2016+ in your private network segments. Connectors are licensed at the user level — you are not paying per connector. Two connectors per network segment (for high availability) are the recommended minimum, and there is no additional licensing cost for connector redundancy. This is a meaningful advantage over per-appliance VPN licensing models.
Multi-Tenant and Affiliate Considerations
For organisations with multiple Entra tenants (common post-merger), each tenant requires its own Private Access licensing — licences are tenant-specific, not transferable. Cross-tenant user access scenarios require Entra Cross-Tenant Access policies and separate Private Access licences in each tenant. This is a cost trap in M&A scenarios that is frequently missed in initial budgeting.
Hybrid AD and Legacy Application Support
Quick Access mode (IP/FQDN-based rules) provides VPN-equivalent access for legacy applications that cannot be registered as individual enterprise apps. Quick Access requires only the base Private Access licence with no additional cost. Per-App Access (ZTNA enforcement per application) requires Entra ID P1 for Conditional Access, which is included in M365 E3+ or available as a standalone add-on.
Common Licensing Mistakes
Mistake 1: Assuming E5 includes Global Secure Access. Microsoft 365 E5 includes Entra ID P2 but does not include Entra Private Access or Internet Access. Organisations that see "Entra P2" on their SKU list and assume they are covered for Private Access are in for a budget surprise. Always verify against the product terms, not the feature marketing page.
Mistake 2: Licensing all users immediately. Private Access adoption rarely exceeds 40% of users in year one. Over-licensing 100% of the user base from day one wastes $36/user/year on seats that are not yet active. Negotiate a phased licensing schedule and adjust at true-up.
Mistake 3: Ignoring Internet Access in the TCO. Organisations that purchase Private Access to replace VPN often discover six months later that they also need Internet Access to replace their on-premises web proxy. Buying them together via the Entra Suite is 40% cheaper than two separate purchases. Evaluate both requirements upfront.
Mistake 4: Not including contractor and third-party access. Contractors accessing private resources via Private Access require licences too. If contractors are in your Entra directory as guests, they need Private Access licences at the same $3/user/month rate. Budget for this separately — it is frequently omitted from initial headcount calculations.
Related Identity & Zero Trust Licensing Articles
This article is part of our Microsoft Identity & Zero Trust Licensing cluster. Related guides in this series:
Related Microsoft Identity & Security Licensing Guides
- Microsoft Identity & Zero Trust Licensing: Complete Guide
- Microsoft Entra Suite Complete Licensing Guide
- Entra Cross-Tenant Access Licensing
- Entra Certificate-Based Authentication Licensing
- Microsoft Entra Verified ID Licensing
- Zero Trust Network Access Licensing Strategy
- Microsoft Sentinel Licensing & Cost Guide
- Entra ID P1 vs P2: Feature and Pricing Comparison