Log in with a managed application's identity

[w0ut0]

Is your feature request related to a problem? Please describe. A managed application has a managed identity you can use to manage a customer's environment. For this managed identity, you can get the access tokens by making a REST call with your account:

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Solutions/applications/{applicationName}/listTokens?api-version=2018-09-01-preview HTTP/1.1

This issue now is that this token is only readily usable when doing REST calls to the resource manager. It's hard to use the Azure CLI to do anything using that token.

Describe the solution you'd like I see 2 possible solutions to this problem:

1. We should be able to log in to the CLI by specifying the managed application, and also which credentials to use to request tokens from the managed application (either SP or user or..)
2. A more general solution is a way to 'import' or 'reuse' access tokens that we get from somewhere else.

Describe alternatives you've considered Before the CLI used MSAL, I would have been able to put the accesstoken in ~/.azure/AccessTokens.json, but that's not possible anymore.

Additional context Ideally, we want to use Terraform to deploy resources, and we need a 'logged in' Azure CLI to do that. However, even without TF this feature would be very useful in scenarios where we want to manage a managed resource group in a managed application.

[yonzhan]

@jiasli for awareness