Forum Discussion

Bhavin Vadher's avatar
Bhavin Vadher
Copper Contributor
Jul 14, 2025

Conditional access, Persistant Browser sessions and Azure File shares in Storage Accounts

Hello,
I am in the process of doing a POC for Azure file sync from DFS to Azure file shares with a end goal of using Azure files shares and getting rid of DFS. I want to use Entra for identity access. One of the changes I need to make is set Persistant browser session in our MFA all user policy to "Never" so that the storage enterprise app does not get targeted for MFA, otherwise it wont work. 

How do I go about doing this without effecting any other users as it's a global policy. I know I need to do this because I get this error when I add the Storage Account ent app to the targeted resources (formerly cloud apps) exclusion list;

"Message from server: The server could not process the request because it is malformed or incorrect.
1032: ConditionalActionPolicy validation failed due to InvalidConditionsForPersistentBrowserSessionMode."

Any ideas of how to get around this without affecting anyone else and only target the storage account ent app. 

Cheers

Conditional Access
MFA
microsoft entra

1 Reply

  • TomerN's avatar
    TomerN
    Copper Contributor
    Jul 18, 2025

    I didn't test, but in my opinion this is what is happening and this is what you could possibly do.

    When setting up a conditional access policy with Persistent Browser Session, Entra only supports PBS settings when the policy targets "All cloud apps". This is documented in Microsoft

    https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccesssessioncontrols?view=graph-rest-1.0

    The error you received probably means you're trying to set Persistent Browser Session to a value like "Never" in a CA policy that targets specific cloud apps (resources), which isn't allowed.

    What you can do, in my opinion (but you'll have to test before)

    Split the policies:

    • Create one CA policy targeting “All cloud apps” with PBS set to “Never”.
    • Create another policy that handles MFA exclusions for the Storage Account Enterprise App without touching PBS

    Do not combine PBS settings with app scoping:

    • Entra only allows PBS settings if the CA policy targets “All cloud apps”, not specific ones.
    • So remove the PBS config from the policy where you define the exclusions and apply it globally in its own policy.

    But don't do this:

    1. Avoid setting PBS = Never in a CA policy scoped to specific apps, that's what causes the 1032 error.

    2. Don’t try to override PBS setting per-app, it’s only supported globally across all apps.

     

    This might be a delicate situation, I would test first with other apps.

Resources