Conditional access, Persistant Browser sessions and Azure File shares in Storage Accounts

I didn't test, but in my opinion this is what is happening and this is what you could possibly do.

When setting up a conditional access policy with Persistent Browser Session, Entra only supports PBS settings when the policy targets "All cloud apps". This is documented in Microsoft

https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccesssessioncontrols?view=graph-rest-1.0

The error you received probably means you're trying to set Persistent Browser Session to a value like "Never" in a CA policy that targets specific cloud apps (resources), which isn't allowed.

What you can do, in my opinion (but you'll have to test before)

Split the policies:

• Create one CA policy targeting “All cloud apps” with PBS set to “Never”.
• Create another policy that handles MFA exclusions for the Storage Account Enterprise App without touching PBS

Do not combine PBS settings with app scoping:

• Entra only allows PBS settings if the CA policy targets “All cloud apps”, not specific ones.
• So remove the PBS config from the policy where you define the exclusions and apply it globally in its own policy.

But don't do this:

1. Avoid setting PBS = Never in a CA policy scoped to specific apps, that's what causes the 1032 error.

2. Don’t try to override PBS setting per-app, it’s only supported globally across all apps.

This might be a delicate situation, I would test first with other apps.