Fabrice Roux 
Merill Fernando Most VPN migrations fail before they even start.
Not because of technology.
Because of approach.
In our latest podcast, remote access expert Richard Hicks shares something interesting:
1/5
Heβs helped organizations transition away from legacy VPNs multiple times and the successful migrations all follow a similar pattern.
One of the biggest secrets?
π Donβt rip out the VPN first.
Instead:
πΉ Deploy Microsoft Entra Private Access alongside the existing VPN
2/5
πΉ Let the new client intercept traffic before the tunnel
πΉ Gradually move apps over
πΉ Then retire the VPN
This reduces risk dramatically and gives teams time to understand how identity-based access changes the model.
The shift is bigger than most teams expect:
3/5
π° Legacy VPN β network access
π° Modern Zero Trust β application access
If you're considering moving to Microsoft Entra Private Access, this episode is full of practical lessons from someone who has already done it several times.
4/5
π§ Watch the full conversation at https://entra.news/p/how-to-migrate-from-legacy-vpns-to
5/5
5/5
How to Migrate from Legacy VPNs to Entra Private Access (Real Strategies from a Veteran)
VPN β Entra
Klaus FrankMost want network access though. I don't know a single customer that managed to do application based access. (Other than with Proxy servers).
But even then it's apparently just too complicated to teach everyone how it works and at some point they just give up and go with firewall rules and network based access again as that's what everyone is requesting rules for constantly anyway...
@agowa338 Yes it's uphill but now with AI, it's going to be more important to be able to different and manage access. It's no longer just the user who is accesing from the endpoint.
Most cutomers don't even do "API-Keys". They just do username and password. And when the API demands that you use an API-Key you first have to prefix the script with logic to use the username and password to fetch the API-Key.
(Mainly because almost nothing allows to generate "in perpetuity" API-Keys and almost always there is no way to refresh the API-Keys within the automation or to otherwise prevent them from being single use and automation failing almost immediately...
(Also it wasn't even "just the user" until now either. Malicious Javascript that does full on network scans and reverse-tunnel internal websites back to the attacker through the browser that are delivered though micro-targeted ads have been around for years now, but not a single customer even wants to hear that)