This is the same as the `AzureAD` plugin except:
1. It uses tenant-specific `microsoftonline.com` v2 OAuth2 endpoints
(hence the name), which means accepting a new Tenant Id argument
2. It uses a space instead of `,` as the scopes separator
Users of multi-tenant apps can provide a Tenant Id of `"common"`. I'm
also not certain if the space-vs-comma scopes separator represents a bug
in the `AzureAD` plugin, or just a difference in the actual v2 APIs.
This inherits the behavior of using email address as the `credIdent`
although this is definitely an `id` field in the User Response. I'm not
sure if there are trade-offs one way or another. Using `id` could mean
transparently handling Azure users changing their email, but I suspect
your identity is implicitly tied to email within Azure anyway, so that
would not be a case we'll ever see.
In the future, we can deprecate the `AzureAD` plugin and suggest users
migrate to this one.
