feat(m365): Support Shared Access Signatures for Cross-Tenant Reporting

[eagbaya]

🗣 Description

Introduces a new optional Terraform variable output_storage_container_sas to pass in a Shared Access Signature (SAS) token. When set, the SAS token will be used to authenticate to the output storage container when writing ScubaGear results. This is intended to be used when output_storage_container_url is set to a storage container in an external tenant.

💭 Motivation and context

This provides additional flexibility when the ScubaConnect deployment and the output storage container are in different tenants. Authentication to the storage container currently relies on RBAC. This is automatically configured if Terraform deploys the storage container as part of ScubaConnect, but otherwise the owner of the storage container must grant access to the ScubaConnect service principal (requiring multi-tenant app consent). SAS tokens provide a less cumbersome and more tightly-scoped method to grant this access.

🧪 Testing

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• PR targets the correct parent branch (e.g., main or release-name) for merge.
• Changes are limited to a single goal - eschew scope creep!
• Changes are sized such that they do not touch excessive number of files.
• All relevant repo and/or project documentation updated to reflect these changes.
• All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Post-merge checklist

• Feature branch deleted after merge to clean up repository.
• Verified that all checks pass on parent branch (e.g., main or release-name) after merge.