{Role} az ad sp create-for-rbac: Show warning when --scopes defaults to subscription

[jiasli]

Description
A temporary warning for #20806

For az ad sp create-for-rbac, when --role is given, --scope defaults to the subscription:

> az ad sp create-for-rbac --role Reader
...
Creating 'Reader' role assignment under scope '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590'
...
{
  "appId": "9eb7e5f0-7a0b-4601-9d72-3f438fcace9f",
  "displayName": "azure-cli-2021-12-22-08-39-11",
  "password": "",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

Without explicit consent from the user on the --scope, this behavior is considered Elevation of Privilege.

This PR adds a warning when --role is specified but --scopes is not:

> az ad sp create-for-rbac --role contributor
In a future release, --scopes argument will become required for creating a role asssignment. Please explicitly specify --scopes.
Creating 'contributor' role assignment under scope '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590'
...
{
  "appId": "c337fa52-41d4-4234-8cf3-ac37b83f72c6",
  "displayName": "azure-cli-2022-01-13-06-17-22",
  "password": "",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

[jiasli]

Removing the default value of --scopes will unify the behavior of az ad sp create-for-rbac and az vm/vmss create. az vm/vmss create currently does the opposite: it requires --scope but defaults --role to Contributor.

• [Compute] az vm/vmss create: Add warning log and modify help to inform that the default value Contributor of --role will be removed #20924

[jiasli]

Unlike #20924, the default value assignment is done in our own custom function, instead of letting knack assign the default value and set is_default.

[zhoxing-ms]

Just out of curiosity, ask another related question:

If users do not pass in --role but only the --scopes, the --scopes will be ignored directly without any prompt, right?
If so, does this meet expectations?

[dbradish-microsoft]

@yonzhan / @chasewilson , Why do we have hidden defaults anywhere? Can't we handle all defaults with a set default command like az param-persist or az account set? We just modified 126 articles removing dependence on the default contributor role but we did not add a --scope parameter. If --scope is going to continue to default, I feel the warning is a good idea.

I do like @zhoxing-ms 's question and would like to put in my vote for a 2nd warning message. Although it doesn't seem logical to --scope a role that isn't being created, it's bound to be attempted.

[jiasli]

Just out of curiosity, ask another related question:

If users do not pass in --role but only the --scopes, the --scopes will be ignored directly without any prompt, right? If so, does this meet expectations?

In the future, this usage will trigger an error.