[Role] az ad app permission list/grant: Refine error message when no associated Service Principal exists for the App

[jiasli]

Description

Close #16862: az ad app permission grant fails with ResourceNotFoundError

When calling az ad app permission list/grant on an App without associated Service Principal, CLI fails with a raw error.

This PR refines the error message to tell the user to create a Service Principal instead.

Testing Guide

$appId=$(az ad app create --display-name testapp0223 --query appId --output tsv)
az ad app permission add --id $appId --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope
az ad app permission grant --id $appId --api 00000002-0000-0000-c000-000000000000

Before:

Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: 
https://graph.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/oauth2PermissionGrants?
$filter=clientId%20eq%20%273e192ff9-5cdc-45eb-9deb-d195cf7f5f2c%27&api-version=1.6

After:

Service principal with appId or objectId '3e192ff9-5cdc-45eb-9deb-d195cf7f5f2c' doesn't 
exist. If '3e192ff9-5cdc-45eb-9deb-d195cf7f5f2c' is an appId, make sure an associated 
service principal is created for the app. To create one, run `az ad sp create --id 
3e192ff9-5cdc-45eb-9deb-d195cf7f5f2c`.

[jiasli]

list returns a Paged object which calls REST API lazily, so this except CloudError will never be hit.

[yonzhan]

Role

[fengzhou-msft]

Shall we use a UserFault type error here?

[evelyn-ys]

InvalidArgumentValueError for example

[jiasli]

This is rather complex here as client_sp_object_id is indeed a valid appId but the app doesn't have associated SP. This command group is already considered deprecated (implicitly) anyway.