[Feature Request] Support `--scope` in `az login`

[jiasli]

Is your feature request related to a problem? Please describe.

The current Azure CLI unconditionally uses ARM resource ID (e.g.

azure-cli/src/azure-cli-core/azure/cli/core/cloud.py

Line 306 in 3feea02

active_directory_resource_id='https://management.core.windows.net/',

) to call /authorize API of authorization code flow.

There are increasing asks for Conditional Access support from multiple service teams (#15220):

• Storage
• App Configuration
• VM SSH

Describe the solution you'd like

We should reconsider supporting Conditional Access on dev branch.

In order to do so, az login must take --scope and use it in /authorize.

ℹ ADAL only takes resource, so scope must be converted back to resource using

azure-cli/src/azure-cli-core/azure/cli/core/util.py

Lines 1214 to 1228 in ad30d55

	def scopes_to_resource(scopes):
	"""Convert MSAL scopes to ADAL resource by stripping the /.default suffix and return a str.
	For example:
	['https://management.core.windows.net//.default'] -> 'https://management.core.windows.net/'
	['https://managedhsm.azure.com/.default'] -> 'https://managedhsm.azure.com'
	:param scopes: The MSAL scopes. It can be a list or tuple of string
	:return: The ADAL resource
	:rtype: str
	"""
	scope = scopes[0]
	if scope.endswith("/.default"):
	scope = scope[:-len("/.default")]
	return scope

[yonzhan]

support scope