[Core] Update global policy argument --acquire-policy-token to pick up new api-version and propagate correlation-id

[Celinadhh]

Related command

All cli commands where users set --acquire-policy-token

Description

This PR adds a few optimizations and updates to #31741. We are updating the api-version used for the acquire-policy-token calls so more information is outputted to the user. And also making sure the acquire-policy-token call uses the same correlation-id as its outgoing calls for easier debugging.

Testing Guide

1. Apply an invoke policy on your resource.
2. Delete your resource directly - failure expected.
3. Delete your resource with --acquire-policy-token, expect call to acquire-policy-token API with 2025-11-01 api-version that uses same correlation-id as resource delete.

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Hi @Celinadhh,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[Celinadhh]

Confirmed correlationId and api-version:

[Celinadhh]

@notyashhh PTAL, thank you! :)

[Copilot]

Pull request overview

This PR updates the internal acquirePolicyToken request made when users opt into the global --acquire-policy-token behavior, aligning it with a newer ARM API version and ensuring correlation ID continuity to simplify end-to-end debugging.

Changes:

• Bump acquirePolicyToken api-version from 2025-03-01 to 2025-11-01.
• Reuse (or generate and set) x-ms-correlation-request-id so the acquirePolicyToken call shares the same correlation ID as the gated operation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mentat9]

Wondering why you add the new correlation id to the incoming header when one isn't there. Is it used in creating the token (or for something else)?

[Celinadhh]

http_request is the original request (e.g. a storage account delete). If there is no existing correlation-id, we generate the correlation-id in the acquire-policy-token call, and propagate the same one to http_request (storage account delete).

[mentat9]

LGTM (modulo non-blocking question).

Also, I'm assuming you verified the policy context information comes back to the UI in the case no token is issued.

[Celinadhh]

LGTM (modulo non-blocking question).

Also, I'm assuming you verified the policy context information comes back to the UI in the case no token is issued.

Yes, this was validated. Attaching screenshot below:

[yonzhan]

Core