Make auth guidelines more explicit

We should add guidelines that require new services to start with managed identity, explicitly discourage the use of connection strings, etc.  We're always telling that to service teams during reviews, but making it explicit would be helpful too.