[Feature Request] Support `tenant_id` kwarg in `get_token`

[jiasli]

Context

azure-keyvault-keys==4.5.0b5 made a breaking change for authentication:

• [Key Vault] Add support for multi-tenant authentication azure-sdk-for-python#21290

It uses azure-identity's new multi-tenant authentication API get_token(tenant_id=...) from

• Update Multi-Tenant support to incorporate Arch Board Feedback azure-sdk-for-python#20940

After azure-keyvault-keys==4.5.0b5 was released, Azure CLI pinned azure-keyvault-keys to 4.5.0b4 as a quick fix (#20880).

Later on, tenant_id is discarded in get_token as another quick fix to support new azure-keyvault-keys (#21244).

Now, azure-storage-blob will also implement authentication challenge (#20969). Even though azure-storage-blob currently doesn't pass tenant_id to get_token, it is possible this will be implemented in the future.

Proposed solution

Azure CLI should support get_token(tenant_id=...) API like azure-identity, so that Azure CLI can get an access token for another tenant using the refresh token of the current tenant.

Additional context

This approach adds additional complexity in error handling. Without this feature, if tenants don't match, we can simply fail with

The tenant in the authentication challenge doesn't match the current tenant.

However, if this is supported, and refreshing fails due to reasons such as conditional access (MFA), we will show another error message like

Authentication failed because MFA is needed.

[yonzhan]

Support tenant_id kwarg

[microsoft-github-policy-service]

🔔 Routing this issue to @act-platform-engineering-squad.