Strengthen auth linter to require managed identity by default

[tg-msft]

Clear and concise description of the problem

We should strengthen https://github.com/Azure/typespec-azure/blob/main/packages/typespec-azure-core/src/rules/auth-required.ts to require managed identity for all services and suppress the warning for anything brownfield. We need to make a corresponding change to Azure's guidelines tracked at https://github.com/microsoft/api-guidelines/issues/544.

Checklist

• [X] Follow our Code of Conduct
• [X] Check that this issue is about the Azure libraries for typespec. For feature request in the typespec language or core libraries file it in the TypeSpec repo
• [X] Read the docs.
• [X] Check that there isn't already an issue that request the same feature to avoid creating a duplicate.

[markcowl]

@tg-msft We don't describe mechanisms for acquiring tokens in API Specs, do we want to discourage authentication mechanisms other than 0auth in API SPecs (like ApiKeyAuth), or is there some other ask here?

There are some API patterns apart from spec authentication that are problematic, such as passing secrets in PUT / POST (Create) payloads, not marking properties named 'password' or 'credential' or 'token' as @secret, etc. Are there some API-specific practices like these that we would like to lint for as well?

[tg-msft]

do we want to discourage authentication mechanisms other than 0auth in API SPecs (like ApiKeyAuth), or is there some other ask here?

The current linting rule validates that any auth mechanism is present and will be happy with just api keys. I'm asking to validate everyone has OAuth so services who don't support it have to explicitly #suppress, explain why to reviewers, and be easily tracked. I don't think we need to do anything about other auth mechanisms for now.

We could probably do more security linting for worst practices, but this issue is scoped to just aligning this linting rule with whatever we do for https://github.com/microsoft/api-guidelines/issues/544.