MFA enforcement for SSH #16989
Description
Is your feature request related to a problem? Please describe.
Imagine a scenario that only the Linux VM Sign In resource requires MFA. In such case, the initial "az login" would not trigger MFA, and then the subsequent "az ssh vm ..." attempt would fail and CLI would currently suggest end user to redo "az login". But that would end up in a loop.
This is not a new ask from SSH feature only. It could happen for any MFA-protected resource.
Describe the solution you'd like
Adding a new optional scope parameter to the initial login, i.e. "az login --scope foo".
The error message would better also provide a full command with the specific scope, so that end user can just do a copy-and-paste to trigger a new interactive auth login.
Describe alternatives you've considered
n/a
Additional context
This is derived from an internal email conversation.
@jiasli , CC: @fengzhou-msft