Azure
diff --git a/‎src/azure-cli-core/azure/cli/core/__init__.py‎
Lines changed: 2 additions & 1 deletion b/‎src/azure-cli-core/azure/cli/core/__init__.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/azure-cli-core/azure/cli/core/aaz/_client.py‎
Lines changed: 3 additions & 0 deletions b/‎src/azure-cli-core/azure/cli/core/aaz/_client.py‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/azure-cli-core/azure/cli/core/commands/arm.py‎
Lines changed: 46 additions & 0 deletions b/‎src/azure-cli-core/azure/cli/core/commands/arm.py‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎src/azure-cli-core/azure/cli/core/commands/client_factory.py‎
Lines changed: 3 additions & 0 deletions b/‎src/azure-cli-core/azure/cli/core/commands/client_factory.py‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/azure-cli-core/azure/cli/core/sdk/policies.py‎
Lines changed: 53 additions & 0 deletions b/‎src/azure-cli-core/azure/cli/core/sdk/policies.py‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎src/azure-cli/azure/cli/command_modules/acs/tests/latest/recordings/test_aks_abort.yaml‎
Lines changed: 5 additions & 5 deletions b/‎src/azure-cli/azure/cli/command_modules/acs/tests/latest/recordings/test_aks_abort.yaml‎
Lines changed: 5 additions & 5 deletions
@@ -61,7 +61,7 @@ def __init__(self, **kwargs):
         from azure.cli.core.breaking_change import register_upcoming_breaking_change_info
         from azure.cli.core.commands import register_cache_arguments
         from azure.cli.core.commands.arm import (
-            register_ids_argument, register_global_subscription_argument)
+            register_ids_argument, register_global_subscription_argument, register_global_policy_argument)
         from azure.cli.core.cloud import get_active_cloud
         from azure.cli.core.commands.transform import register_global_transforms
         from azure.cli.core._session import ACCOUNT, CONFIG, SESSION, INDEX, VERSIONS
@@ -90,6 +90,7 @@ def __init__(self, **kwargs):
         register_global_transforms(self)
         register_global_subscription_argument(self)
         register_ids_argument(self)  # global subscription must be registered first!
+        register_global_policy_argument(self)
         register_cache_arguments(self)
         register_upcoming_breaking_change_info(self)
 
 
@@ -73,6 +73,9 @@ def __init__(self, ctx, credential, **kwargs):
         base_url = self._build_base_url(ctx, **kwargs)
         if not base_url:
             raise CloudEndpointNotSetException()
+        if not kwargs.get('custom_hook_policy'):
+            from azure.cli.core.sdk.policies import get_custom_hook_policy
+            kwargs['custom_hook_policy'] = get_custom_hook_policy(ctx.cli_ctx)
         super().__init__(
             base_url=base_url,
             config=self._build_configuration(ctx, credential, **kwargs),
 
@@ -187,6 +187,52 @@ def resource_exists(cli_ctx, subscription, resource_group, name, namespace, type
     return existing
 
 
+def register_global_policy_argument(cli_ctx):
+
+    def add_global_policy_argument(_, **kwargs):
+        command_table = kwargs.get('commands_loader').command_table
+
+        if not command_table:
+            return
+
+        class ChangeReferenceAction(argparse.Action):  # pylint:disable=too-few-public-methods
+
+            def __call__(self, parser, namespace, value, option_string=None):
+                # save change reference to CLI context
+                cmd = getattr(namespace, 'cmd', None) or getattr(namespace, '_cmd', None)
+                cmd.cli_ctx.data['_change_reference'] = value
+
+        class AcquirePolicyTokenAction(argparse.Action):  # pylint:disable=too-few-public-methods
+
+            def __call__(self, parser, namespace, value, option_string=None):
+                # save change reference to CLI context
+                cmd = getattr(namespace, 'cmd', None) or getattr(namespace, '_cmd', None)
+                cmd.cli_ctx.data['_acquire_policy_token'] = True
+
+        for command in command_table.values():
+            if command.name.split()[-1] in ['list', 'show']:
+                continue
+
+            change_reference_kwargs = {
+                'help': 'The related change reference ID for this resource operation',
+                'arg_group': 'Global Policy',
+                'action': ChangeReferenceAction,
+            }
+            acquire_policy_token_kwargs = {
+                'help': 'Acquiring an Azure Policy token automatically for this resource operation',
+                'arg_group': 'Global Policy',
+                'nargs': 0,
+                'action': AcquirePolicyTokenAction,
+            }
+            command.add_argument('_change_reference', '--change-reference', **change_reference_kwargs)
+            command.add_argument('_acquire_policy_token', '--acquire-policy-token', **acquire_policy_token_kwargs)
+
+    policy_token_feature_enabled = cli_ctx.config.getboolean('core', 'enable_policy_token', False)
+    if policy_token_feature_enabled:
+        from knack import events
+        cli_ctx.register_event(events.EVENT_INVOKER_POST_CMD_TBL_CREATE, add_global_policy_argument)
+
+
 # pylint: disable=too-many-statements
 def register_ids_argument(cli_ctx):
 
 
@@ -166,6 +166,9 @@ def _prepare_client_kwargs_track2(cli_ctx):
     from azure.cli.core.sdk.policies import RecordTelemetryUserAgentPolicy
     client_kwargs['user_agent_policy'] = RecordTelemetryUserAgentPolicy(**client_kwargs)
 
+    from azure.cli.core.sdk.policies import get_custom_hook_policy
+    client_kwargs['custom_hook_policy'] = get_custom_hook_policy(cli_ctx)
+
     # Replace NetworkTraceLoggingPolicy to redact 'Authorization' and 'x-ms-authorization-auxiliary' headers.
     #   NetworkTraceLoggingPolicy: log raw network trace, with all headers.
     from azure.cli.core.sdk.policies import SafeNetworkTraceLoggingPolicy
 
@@ -103,3 +103,56 @@ def on_request(self, request):
         super().on_request(request)
         from azure.cli.core.telemetry import set_user_agent
         set_user_agent(request.http_request.headers[self._USERAGENT])
+
+
+# pylint: disable=line-too-long
+def get_custom_hook_policy(cli_ctx):
+    def _acquire_policy_token_request_hook(request):
+        http_request = request.http_request
+        if getattr(http_request, 'method', '') == 'GET':
+            return
+        ACQUIRE_POLICY_TOKEN_URL = '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/acquirePolicyToken?api-version=2025-03-01'
+        policy_token = None
+
+        from azure.cli.core.azclierror import ServiceError
+        try:
+            import json
+            from azure.cli.core.util import send_raw_request
+            uri = getattr(http_request, 'url')
+            method = getattr(http_request, 'method')
+            content = getattr(http_request, 'content') if hasattr(http_request, 'content') else getattr(http_request, 'body')
+            if content and isinstance(content, str):
+                try:
+                    content = json.loads(content)
+                except json.decoder.JSONDecodeError:
+                    pass
+
+            acquire_policy_token_body = {
+                "operation": {
+                    "uri": uri,
+                    "httpMethod": method,
+                    "content": content
+                },
+                "changeReference": cli_ctx.data.get('_change_reference', None)
+            }
+            acquire_policy_token_response = send_raw_request(cli_ctx, 'POST',
+                                                             ACQUIRE_POLICY_TOKEN_URL,
+                                                             headers=['Content-Type=application/json',
+                                                                      'x-ms-force-sync=true'],
+                                                             body=json.dumps(acquire_policy_token_body))
+            if acquire_policy_token_response.status_code == 200 and acquire_policy_token_response.content:
+                response_content = json.loads(acquire_policy_token_response.content)
+                policy_token = response_content.get('token', None)
+                if not policy_token:
+                    raise ServiceError(f"No token returned. Response:{acquire_policy_token_response.content}")
+        except Exception as ex:
+            raise ServiceError(f"Failed to acquire policy token, exception: {ex}")
+        if policy_token:
+            request.http_request.headers['x-ms-policy-external-evaluations'] = policy_token
+
+    acquire_policy_token = cli_ctx.data.get('_acquire_policy_token', False)
+    change_reference = cli_ctx.data.get('_change_reference', None)
+    if change_reference or acquire_policy_token:
+        from azure.core.pipeline.policies import CustomHookPolicy
+        return CustomHookPolicy(raw_request_hook=_acquire_policy_token_request_hook)
+    return None
@@ -15,7 +15,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-07-01
   response:
     body:
       string: '{"error":{"code":"ResourceNotFound","message":"The Resource ''Microsoft.ContainerService/managedClusters/cliakstest000002''
@@ -125,7 +125,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: PUT
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-07-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n
@@ -221,7 +221,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-07-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n
@@ -313,7 +313,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: POST
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedclusters/cliakstest000002/abort?api-version=2025-05-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedclusters/cliakstest000002/abort?api-version=2025-07-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n
@@ -565,7 +565,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-07-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n