Better remediation error message when SSH cert cannot be obtained for an unmanaged/non-compliant device

[rayluo]

Is your feature request related to a problem? Please describe.

The az ssh vm ... feature could potentially fail due to not meeting conditional access requirement. AAD tend to provide a user-friendly "error_description" in the token response. Today, MSAL already exposes the raw error response (which looks like {"error": "invalid_grant", "error_description": "An end user friendly message here blah blah blah", ...}) as the return value. Such value is not currently relayed to the end user. Azure CLI currently prints a generic error message on console: "Authentication is migrated to Microsoft identity platform (v2.0). Please run 'az login' to login."

Describe the solution you'd like
Let's figure out how to surface those info to end user.

Describe alternatives you've considered
This used to also depends on Azure Identity. But the current plan is to directly call MSAL for the ssh cert feature.

Additional context
This issue is based on an internal email conversation.

@jiasli CC: @fengzhou-msft

[yonzhan]

SSH