Allow az credential to get tokens for any tenant

[JimMadge]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).
• You have marked this pull request as a draft and added '[WIP]' to the title if needed (if you're not yet ready to merge).
• You have formatted your code using appropriate automated tools (for example ./tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory> for Powershell).

⤴️ Summary

Ensures that the Azure credential object can fetch tokens from any credential.

See here for details.

I think multi-tenant authentication is necessary as in general the tenant holding the AAD is not necessarily the same as the tenant holding RGs and other resources.

🌂 Related issues

🔬 Tests

Original error,

❯ dsh init --admin-group 347c68cb-261f-4a3e-ac3e-6af860b5fec9 --location uksouth --subscription "Data Safe Haven Development" --name gems
2023-09-19 16:07:37 [    INFO] Reading project settings from                                  backend_settings.py:110
'/Users/jmadge/Library/Application Support/data_safe_haven/config.yaml'.
2023-09-19 16:07:37 [    INFO] Saved project settings to '/Users/jmadge/Library/Application   backend_settings.py:145
Support/data_safe_haven/config.yaml'.
2023-09-19 16:07:37 [    INFO] Reading project settings from                                  backend_settings.py:110
'/Users/jmadge/Library/Application Support/data_safe_haven/config.yaml'.
2023-09-19 16:07:54 [    INFO] Ensured that resource group shm-gems-rg-backend exists in uksouth.    azure_api.py:509
2023-09-19 16:07:55 [    INFO] Ensured that managed identity shm-gems-identity-reader-backend        azure_api.py:468
exists.
2023-09-19 16:07:55 [    INFO] Ensured that storage account shmgemsbackend exists.                   azure_api.py:552
2023-09-19 16:07:55 [    INFO] Ensured that storage container config exists.                         azure_api.py:587
2023-09-19 16:07:56 [    INFO] Ensured that storage container pulumi exists.                         azure_api.py:587
2023-09-19 16:07:56 [    INFO] Ensured that key vault shm-gems-kv-backend exists.                    azure_api.py:313
2023-09-19 16:07:57 [   ERROR] Could not initialise Data Safe Haven.                                        cli.py:94
2023-09-19 16:07:57 [   ERROR] Failed to create backend resources.                                          cli.py:94
2023-09-19 16:07:57 [   ERROR] Failed to create key pulumi-encryption-key.                                  cli.py:94
2023-09-19 16:07:57 [   ERROR] The current credential is not configured to acquire tokens for tenant        cli.py:94
<REMOVED GUID>. To enable acquiring tokens for this tenant add it to the
additionally_allowed_tenants when creating the credential, or add "*" to additionally_allowed_tenants to
allow acquiring tokens for any tenant.

Upon the change in this PR

❯ dsh init --admin-group 347c68cb-261f-4a3e-ac3e-6af860b5fec9 --location uksouth --subscription "Data Safe Haven Development" --name gems
2023-09-19 16:33:18 [    INFO] Reading project settings from                                  backend_settings.py:110
'/Users/jmadge/Library/Application Support/data_safe_haven/config.yaml'.
2023-09-19 16:33:18 [    INFO] Saved project settings to '/Users/jmadge/Library/Application   backend_settings.py:145
Support/data_safe_haven/config.yaml'.
2023-09-19 16:33:18 [    INFO] Reading project settings from                                  backend_settings.py:110
'/Users/jmadge/Library/Application Support/data_safe_haven/config.yaml'.
2023-09-19 16:33:49 [    INFO] Ensured that resource group shm-gems-rg-backend exists in uksouth.    azure_api.py:509
2023-09-19 16:33:50 [    INFO] Ensured that managed identity shm-gems-identity-reader-backend        azure_api.py:468
exists.
2023-09-19 16:33:50 [    INFO] Ensured that storage account shmgemsbackend exists.                   azure_api.py:552
2023-09-19 16:33:51 [    INFO] Ensured that storage container config exists.                         azure_api.py:587
2023-09-19 16:33:51 [    INFO] Ensured that storage container pulumi exists.                         azure_api.py:587
2023-09-19 16:33:57 [    INFO] Ensured that key vault shm-gems-kv-backend exists.                    azure_api.py:313
2023-09-19 16:33:57 [    INFO] Ensured that key pulumi-encryption-key exists.                        azure_api.py:350
2023-09-19 16:34:01 [    INFO] Uploaded file config-gems.yaml to blob storage.                      azure_api.py:1192

[craddm]

LGTM

[jemrobinson]

Glad that this works. Not 100% sure why you're starting off with a credential that isn't valid for <REMOVED GUID> as this ought to be the default tenant for @turing.ac.uk accounts.