Microsoft Entra Application Proxy vs Global Secure Access: Which One Do You Actually Need?
Every few weeks, someone in an IT admin forum asks the same question: “Is Microsoft killing Application Proxy to force everyone onto Global Secure Access?” The anxiety is real. You’ve got App Proxy running, it works fine, and now Microsoft is pushing a new product that costs more money. It feels like the setup for a deprecation announcement.
Here’s the short answer: no. Microsoft hasn’t announced any deprecation plans for Application Proxy. They’re still shipping features for it. But that doesn’t mean the two products are interchangeable. They solve fundamentally different problems, and understanding the difference will save you from either overpaying or under-architecting.
What Each One Actually Does
Application Proxy has been around since 2014. It publishes on-premises web applications to external users without opening inbound firewall ports. You install a lightweight connector on a Windows Server inside your network, it makes outbound connections to Azure, and users access your internal web apps through an external URL. Authentication happens through Entra ID, so you get single sign-on and Conditional Access for free. It handles HTTP and HTTPS. That’s it.
Global Secure Access (Private Access) went GA in July 2024 as part of the Microsoft Entra Suite. It’s Microsoft’s Zero Trust Network Access play, a full VPN replacement. Instead of tunneling all traffic through a concentrator, it creates per-app tunnels for specific resources. The big difference: it supports any TCP or UDP protocol. RDP, SSH, SMB, custom apps on proprietary ports. All of it. But it requires the Global Secure Access client installed on every device.
How They Compare
| Application Proxy | Global Secure Access (Private Access) | |
|---|---|---|
| Protocols | HTTP/HTTPS only | Any TCP/UDP (RDP, SSH, SMB, etc.) |
| Client Required | No (browser-based) | Yes (Global Secure Access client) |
| Licensing | Included with Entra ID P1 | Additional $5/user/month (or $12/user Entra Suite) |
| BYOD / Unmanaged Devices | Full support via browser | Preview (requires Entra device registration) |
| B2B Guest Access | Full support | Limited |
| ZTNA / Per-App Access | URL-based app publishing | Full ZTNA with per-app tunnels |
| SSO Method | Entra ID handles authentication (Kerberos, SAML, header-based) | Transparent tunnel, auth passes through to backend |
| VPN Replacement | No | Yes |
| Continuous Access Evaluation | Traditional CAE (app must be CAE-aware) | Universal CAE (works with any protocol) |
| On-Prem Connector | Private Network Connector | Same Private Network Connector |
The Licensing Question Everyone’s Really Asking
Let’s talk money, because that’s what’s actually driving the anxiety.
Application Proxy is included with Entra ID P1 at $6/user/month. If you’re running Microsoft 365 Business Premium or any E3/E5 plan, you already have it. No additional cost.
Global Secure Access Private Access costs $5/user/month on top of your P1 license. Or you can buy the Microsoft Entra Suite at $12/user/month, which bundles Private Access with Internet Access, ID Governance, and Verified ID.
So the real math: App Proxy costs you nothing extra. Private Access adds $5/user/month minimum. For a 200-person org, that’s $12,000/year.
That’s not trivial, and it’s why the community is nervous. When Microsoft builds a premium product that overlaps with a bundled one, history says the bundled one eventually gets deprioritized. But right now, the evidence says otherwise. App Proxy is still getting feature updates (SAML SSO went GA recently, WebSocket support is in preview), and Microsoft’s own documentation positions the two as complementary.
When Application Proxy Is the Right Call
Stick with Application Proxy when:
- Your remote access needs are web-only: internal portals, web-based LOB apps, reporting dashboards
- You support B2B guest users from partner organizations who need access to specific internal apps
- You have BYOD or unmanaged devices where you can’t install client software: contractors on personal laptops, vendor technicians on tablets
- Your budget doesn’t justify the per-user premium and you don’t need access to non-HTTP protocols
- You want zero client deployment where users just hit a URL and authenticate
Application Proxy is a mature, battle-tested product that does one thing well: it puts internal web apps on the internet safely. If that’s all you need, don’t overcomplicate it.
When You Need Global Secure Access
Move to Private Access when:
- You need remote access to non-HTTP resources: RDP to servers, SSH to network gear, SMB file shares, legacy apps on custom TCP ports
- You’re replacing a traditional VPN and want per-app access controls instead of network-level tunneling
- You want Universal Continuous Access Evaluation, the ability to revoke sessions in near real-time across any protocol, not just CAE-aware web apps
- Your users are on managed, Entra-joined devices where deploying the Global Secure Access client is straightforward
- You need a full ZTNA architecture with identity-centric, least-privilege access to every resource in your environment
Private Access is the modern answer to “our users need to reach internal stuff that isn’t a web app.” If you’re still running a VPN concentrator and hating it, this is the off-ramp.
They Share the Same Connectors — Use Both
Here’s the detail most people miss: Application Proxy and Global Secure Access Private Access run on the same Private Network Connector. It’s the same lightweight Windows Server agent, the same outbound-only architecture, the same connector groups. Microsoft even renamed it from “Application Proxy Connector” to “Private Network Connector” to reflect this.
That means you don’t have to choose one or the other. You can run both simultaneously on the same infrastructure:
- Use Application Proxy for your web apps, especially those accessed by B2B guests or unmanaged devices
- Use Private Access for your internal users who need RDP, SSH, or file share access from managed devices
- Deploy the Global Secure Access client only to the users who actually need non-HTTP access
No duplicate connectors. No migration. No rip-and-replace. The two products coexist by design.
Bottom Line
Application Proxy and Global Secure Access aren’t competitors. They’re complements. App Proxy publishes web apps to anyone with a browser. Private Access tunnels any protocol to managed devices. One is included in your P1 license. The other costs extra but replaces your VPN.
The decision framework is simple:
- Web apps only, any device? → Application Proxy
- Non-HTTP protocols, managed devices? → Global Secure Access Private Access
- Both scenarios? → Run both on the same connectors
Don’t rip out App Proxy because you think it’s going away. Don’t buy Private Access licenses you don’t need. And don’t deploy a VPN when Microsoft is handing you a ZTNA alternative that plugs into the same Conditional Access policies you’re already writing.
If you’re not sure which approach fits your environment, or you need help architecting the coexistence model, let’s talk. We’ll look at your access patterns, your device landscape, and your licensing, and give you a straight answer.