The enterprise VPN market is contracting at 8% annually as Zero Trust Network Access displaces it. In 2026, the ZTNA licensing market has converged around three viable paths for Microsoft-centric organisations: Microsoft Entra Private Access (part of the Entra Suite), Zscaler Private Access (ZPA), and Cloudflare Zero Trust. The licensing economics have shifted decisively in Microsoft's favour for organisations already paying for M365 E3 or E5. This guide provides the complete comparison framework and transition strategy.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →VPN vs ZTNA: What Changes in the Access Model
Traditional VPN grants network-level access: once authenticated, users can reach any resource on the connected network segment. ZTNA grants application-level access: each connection attempt is evaluated against identity, device, and context signals, and access is granted to specific applications only.
| Dimension | Traditional VPN | Zero Trust Network Access |
|---|---|---|
| Access scope | Network segment / subnet | Specific application / resource |
| Authentication frequency | Once at session start | Continuous per-session verification |
| Lateral movement risk | High — network-level access enables pivot | Eliminated — app-level access only |
| Device trust signal | Optional / weak (certificate) | Mandatory — real-time compliance check |
| Remote access performance | Degrades with distance from VPN gateway | Optimised via global PoP network |
| Legacy application support | Full (network access) | Limited for non-app-aware protocols |
| Infrastructure required | VPN gateways, concentrators, firewalls | Lightweight connectors only |
| Operational complexity | High — gateway management, certificate renewal | Low — cloud-managed connectors |
ZTNA Licensing Market: 2026 Pricing Comparison
| Vendor | Product | ZTNA-Only Price | Full SSE Bundle | Microsoft 365 Integration |
|---|---|---|---|---|
| Microsoft | Entra Private Access | $3/user/month | Entra Suite $12/user/month | Native (same identity stack) |
| Zscaler | ZPA Business | $5–$8/user/month | ZIA + ZPA ~$15–$22/user/month | API integration (SCIM/SAML) |
| Cloudflare | Zero Trust Teams | $3–$7/user/month (per tier) | Cloudflare One $8–$14/user/month | API integration (SCIM/SAML) |
| Palo Alto | Prisma Access (ZTNA 2.0) | $8–$12/user/month | $12–$20/user/month | API integration |
| Cisco | Secure Access (SSE) | $6–$10/user/month | $10–$16/user/month | API integration |
| Netskope | Netskope Private Access | $6–$9/user/month | $12–$18/user/month | API integration |
At $3/user/month, Entra Private Access is tied for the lowest ZTNA price in the market. The differentiation is integration depth: Entra Private Access is native to the same identity stack that manages M365 access, Conditional Access policies, and device compliance. Configuring ZTNA as a Conditional Access-enforced application provides the same policy framework as M365 app access — no separate policy engine, no identity federation complexity.
The Microsoft Zero Trust Licensing Stack
Implementing Zero Trust network access using the Microsoft stack requires assembling several product licences that work together as a coherent architecture:
| Layer | Product | Function | Licence Required |
|---|---|---|---|
| Identity | Microsoft Entra ID P1 | Conditional Access policy engine | M365 E3+ or standalone $6/user/month |
| Identity Protection | Entra ID P2 / ID Protection | Risk-based access evaluation | M365 E5 or Entra Suite ($12) |
| Network Access (Private) | Entra Private Access | ZTNA for private corporate resources | Standalone $3 or Entra Suite |
| Network Access (Internet) | Entra Internet Access | SWG for internet-bound traffic | Standalone $5 or Entra Suite |
| Device Signal | Microsoft Intune | Device compliance verification | Intune Plan 1 ~$8/user/month; included in E3 |
| Endpoint Security | Defender for Endpoint P2 | Device health signal for ZTNA decisions | M365 E5 or standalone ~$5.20 |
| Network Analytics | Global Secure Access dashboard | Traffic analytics, anomaly detection | Included with Entra Private/Internet Access |
The minimum viable Zero Trust network access configuration for Microsoft is M365 E3 (includes P1 + Intune) plus the Entra Private Access add-on ($3/user/month). At M365 E3 pricing of $36/user/month + $3 = $39/user/month, this delivers ZTNA with Conditional Access enforcement and device compliance checking — a security posture that was previously achievable only with a dedicated ZTNA vendor at additional cost.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →ZTNA Migration Planning: Licensing Transition Framework
VPN-to-ZTNA migration for an enterprise of 3,000 users requires a phased licensing approach to avoid paying for both VPN infrastructure and ZTNA licences simultaneously for an extended period:
Phase 1: Parallel Deployment (Months 1–4)
Licence Entra Private Access for the pilot group (100–200 users — IT, security, select business users). VPN remains operational for the full organisation. Cost: $300–$600/month incremental for pilot licences. Use this phase to register your top 20 business-critical applications as enterprise apps and test Per-App Access mode with Conditional Access enforcement.
Phase 2: Application Migration (Months 3–10)
Expand Private Access licensing to early-adopter departments (25–40% of users). For each department migrated, retire corresponding VPN capacity (reduce VPN appliance licences or decommission gateway nodes). The goal is VPN licence cost reduction that offsets incremental Private Access licensing. Target: at months 6–7, Private Access licensing cost should be offset 50% by VPN cost reduction.
Phase 3: Full Cutover (Months 9–14)
Expand Private Access to 100% of users. Migrate remaining legacy applications using Quick Access mode (IP/FQDN-based rules) for applications that cannot be registered as individual enterprise apps. Issue VPN decommission notice to vendor. Full licensing cost savings materialise from month 14 onwards when VPN infrastructure is eliminated.
Financial milestone: For a 3,000-user organisation with $480,000/year in VPN total cost of ownership, the break-even point with Entra Private Access licensing ($108,000/year) occurs in month 8 of the migration when VPN cost reduction exceeds Private Access incremental cost. Total year-one saving is typically $120,000–$180,000 depending on VPN infrastructure complexity.
When to Choose a Non-Microsoft ZTNA Vendor
Microsoft Entra Private Access is not the correct choice in every scenario. Three situations favour a non-Microsoft ZTNA vendor:
Multi-cloud identity environments: Organisations using Okta, Ping Identity, or AWS IAM as the primary identity provider have additional integration complexity with Entra Private Access that does not exist with Zscaler or Cloudflare. If your identity plane is not primarily Microsoft Entra ID, the integration advantage disappears.
Advanced SWG requirements: If your internet access security requirements include advanced DLP for outbound web traffic, full SSL inspection with granular exception policies, or Firewall-as-a-Service capabilities, mature SWG vendors (Zscaler, Netskope, Palo Alto) currently offer more complete feature sets than Entra Internet Access. Evaluate whether Entra Internet Access will meet your requirements within the next 12–18 months before committing.
Brownfield VPN with complex protocol dependencies: Environments with industrial control systems, legacy thick-client applications, or IPSec-dependent protocols that require genuine network-level tunnelling may not be fully migrable to ZTNA within a typical 12–18 month window. Hybrid coexistence periods increase overall TCO. In these scenarios, a phased 3–5 year timeline with gradual ZTNA expansion is more realistic than a full VPN replacement business case.
📄 Free Guide: Microsoft Identity & Zero Trust Licensing Guide
Complete Zero Trust licensing framework including ZTNA migration strategy, Entra Suite analysis, and EA negotiation playbook.
Download Free Guide →Related Microsoft Zero Trust Licensing Guides
- Microsoft Identity & Zero Trust Licensing: Complete Guide
- Microsoft Entra Private Access Licensing: VPN Replacement Guide
- Microsoft Entra Suite Complete Licensing Guide
- Microsoft 365 Defender Licensing Comparison
- Entra Conditional Access Licensing Guide
- Entra ID P1 vs P2: Feature and Pricing Comparison
- Microsoft Zero Trust Architecture Licensing Overview