diff --git a/go.mod b/go.mod
index 4a3f12aee..0a3d35763 100644
--- a/go.mod
+++ b/go.mod
@@ -43,7 +43,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.7.2 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
diff --git a/go.sum b/go.sum
index 4c7686d43..3727100ae 100644
--- a/go.sum
+++ b/go.sum
@@ -22,8 +22,8 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEK
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.2 h1:RHK7bS+HQMslb1sZpAokUt+zTVmue0hKSs2C791hhzU=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.2/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go
index 29c004320..1b3e599b1 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go
@@ -359,7 +359,7 @@ func New(authority, clientID string, cred Credential, options ...Option) (Client
 
 // authCodeURLOptions contains options for AuthCodeURL
 type authCodeURLOptions struct {
-	claims, loginHint, tenantID, domainHint string
+	claims, loginHint, tenantID, domainHint, prompt string
 }
 
 // AuthCodeURLOption is implemented by options for AuthCodeURL
@@ -369,7 +369,7 @@ type AuthCodeURLOption interface {
 
 // AuthCodeURL creates a URL used to acquire an authorization code. Users need to call CreateAuthorizationCodeURLParameters and pass it in.
 //
-// Options: [WithClaims], [WithDomainHint], [WithLoginHint], [WithTenantID]
+// Options: [WithClaims], [WithDomainHint], [WithLoginHint], [WithTenantID], [WithPrompt]
 func (cca Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, scopes []string, opts ...AuthCodeURLOption) (string, error) {
 	o := authCodeURLOptions{}
 	if err := options.ApplyOptions(&o, opts); err != nil {
@@ -382,6 +382,7 @@ func (cca Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string,
 	ap.Claims = o.claims
 	ap.LoginHint = o.loginHint
 	ap.DomainHint = o.domainHint
+	ap.Prompt = o.prompt
 	return cca.base.AuthCodeURL(ctx, clientID, redirectURI, scopes, ap)
 }
 
@@ -431,6 +432,29 @@ func WithDomainHint(domain string) interface {
 	}
 }
 
+// WithPrompt adds prompt query parameter in the auth url.
+func WithPrompt(prompt shared.Prompt) interface {
+	AuthCodeURLOption
+	options.CallOption
+} {
+	return struct {
+		AuthCodeURLOption
+		options.CallOption
+	}{
+		CallOption: options.NewCallOption(
+			func(a any) error {
+				switch t := a.(type) {
+				case *authCodeURLOptions:
+					t.prompt = prompt.String()
+				default:
+					return fmt.Errorf("unexpected options type %T", a)
+				}
+				return nil
+			},
+		),
+	}
+}
+
 // WithClaims sets additional claims to request for the token, such as those required by conditional access policies.
 // Use this option when Azure AD returned a claims challenge for a prior request. The argument must be decoded.
 // This option is valid for any token acquisition method.
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
index abf54f7e5..9bd96090e 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
@@ -302,13 +302,10 @@ func (b Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, s
 	if authParams.DomainHint != "" {
 		v.Add("domain_hint", authParams.DomainHint)
 	}
-	// There were left over from an implementation that didn't use any of these.  We may
-	// need to add them later, but as of now aren't needed.
-	/*
-		if p.ResponseMode != "" {
-			urlParams.Add("response_mode", p.ResponseMode)
-		}
-	*/
+	// Use form_post response mode for interactive auth to avoid exposing the auth code in the URL
+	if authParams.AuthorizationType == authority.ATInteractive {
+		v.Add("response_mode", "form_post")
+	}
 	baseURL.RawQuery = v.Encode()
 	return baseURL.String(), nil
 }
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/partitioned_storage.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/partitioned_storage.go
index ff07d4b5a..5d018e117 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/partitioned_storage.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/partitioned_storage.go
@@ -200,7 +200,16 @@ func (m *PartitionedManager) aadMetadataFromCache(ctx context.Context, authority
 func (m *PartitionedManager) aadMetadata(ctx context.Context, authorityInfo authority.Info) (authority.InstanceDiscoveryMetadata, error) {
 	discoveryResponse, err := m.requests.AADInstanceDiscovery(ctx, authorityInfo)
 	if err != nil {
-		return authority.InstanceDiscoveryMetadata{}, err
+		// If it's an invalid_instance error, always propagate
+		if strings.Contains(err.Error(), "invalid_instance") {
+			return authority.InstanceDiscoveryMetadata{}, err
+		}
+		// If the caller canceled the context, propagate
+		if ctx.Err() != nil {
+			return authority.InstanceDiscoveryMetadata{}, err
+		}
+		// For transient errors (network failures, HTTP 500, etc.), cache a fallback entry
+		return m.fallbackMetadata(authorityInfo.Host), nil
 	}
 
 	m.aadCacheMu.Lock()
@@ -220,6 +229,27 @@ func (m *PartitionedManager) aadMetadata(ctx context.Context, authorityInfo auth
 	return m.aadCache[authorityInfo.Host], nil
 }
 
+// fallbackMetadata returns a cached fallback metadata entry for the given host.
+// It first checks the known metadata provider for pre-baked alias data, then
+// falls back to a self-entry. Acquires aadCacheMu.
+func (m *PartitionedManager) fallbackMetadata(host string) authority.InstanceDiscoveryMetadata {
+	m.aadCacheMu.Lock()
+	defer m.aadCacheMu.Unlock()
+	if known, ok := authority.GetKnownMetadata(host); ok {
+		for _, alias := range known.Aliases {
+			m.aadCache[alias] = known
+		}
+		return known
+	}
+	fallback := authority.InstanceDiscoveryMetadata{
+		PreferredNetwork: host,
+		PreferredCache:   host,
+		Aliases:          []string{host},
+	}
+	m.aadCache[host] = fallback
+	return fallback
+}
+
 func (m *PartitionedManager) readAccessToken(envAliases []string, realm, clientID, userAssertionHash string, scopes []string, partitionKey, tokenType, authnSchemeKeyID string) (AccessToken, error) {
 	m.contractMu.RLock()
 	defer m.contractMu.RUnlock()
@@ -306,7 +336,7 @@ func (m *PartitionedManager) writeRefreshToken(refreshToken accesstokens.Refresh
 	m.contractMu.Lock()
 	defer m.contractMu.Unlock()
 	key := refreshToken.Key()
-	if m.contract.AccessTokensPartition[partitionKey] == nil {
+	if m.contract.RefreshTokensPartition[partitionKey] == nil {
 		m.contract.RefreshTokensPartition[partitionKey] = make(map[string]accesstokens.RefreshToken)
 	}
 	m.contract.RefreshTokensPartition[partitionKey][key] = refreshToken
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go
index 825d8a0f6..8225e860a 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go
@@ -276,7 +276,16 @@ func (m *Manager) aadMetadata(ctx context.Context, authorityInfo authority.Info)
 	defer m.aadCacheMu.Unlock()
 	discoveryResponse, err := m.requests.AADInstanceDiscovery(ctx, authorityInfo)
 	if err != nil {
-		return authority.InstanceDiscoveryMetadata{}, err
+		// If it's an invalid_instance error, always propagate
+		if strings.Contains(err.Error(), "invalid_instance") {
+			return authority.InstanceDiscoveryMetadata{}, err
+		}
+		// If the caller canceled the context, propagate
+		if ctx.Err() != nil {
+			return authority.InstanceDiscoveryMetadata{}, err
+		}
+		// For transient errors (network failures, HTTP 500, etc.), cache a fallback entry
+		return m.fallbackMetadata(authorityInfo.Host), nil
 	}
 
 	for _, metadataEntry := range discoveryResponse.Metadata {
@@ -293,6 +302,25 @@ func (m *Manager) aadMetadata(ctx context.Context, authorityInfo authority.Info)
 	return m.aadCache[authorityInfo.Host], nil
 }
 
+// fallbackMetadata returns a cached fallback metadata entry for the given host.
+// It first checks the known metadata provider for pre-baked alias data, then
+// falls back to a self-entry. The caller must hold m.aadCacheMu.
+func (m *Manager) fallbackMetadata(host string) authority.InstanceDiscoveryMetadata {
+	if known, ok := authority.GetKnownMetadata(host); ok {
+		for _, alias := range known.Aliases {
+			m.aadCache[alias] = known
+		}
+		return known
+	}
+	fallback := authority.InstanceDiscoveryMetadata{
+		PreferredNetwork: host,
+		PreferredCache:   host,
+		Aliases:          []string{host},
+	}
+	m.aadCache[host] = fallback
+	return fallback
+}
+
 func (m *Manager) readAccessToken(homeID string, envAliases []string, realm, clientID string, scopes []string, tokenType, authnSchemeKeyID, extCacheKey string) AccessToken {
 	m.contractMu.RLock()
 
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go
index c6baf2094..1fb012fea 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go
@@ -24,6 +24,7 @@ var okPage = []byte(`
 </head>
 <body>
     <p>Authentication complete. You can return to the application. Feel free to close this browser tab.</p>
+    <p><strong>For your security:</strong> Do not share the contents of this page, the address bar, or take screenshots.</p>
 </body>
 </html>
 `)
@@ -42,6 +43,20 @@ const failPage = `
 </html>
 `
 
+const unsupportedResponseModePage = `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8" />
+    <title>Authentication Failed</title>
+</head>
+<body>
+    <p>Authentication failed. The response was received via a GET operation, which is not supported.</p>
+    <p>You can return to the application. Feel free to close this browser tab.</p>
+</body>
+</html>
+`
+
 // Result is the result from the redirect.
 type Result struct {
 	// Code is the code sent by the authority server.
@@ -138,11 +153,24 @@ func (s *Server) putResult(r Result) {
 }
 
 func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
-	q := r.URL.Query()
+	// Only accept POST requests (form_post response mode)
+	// GET requests with query parameters are not supported for security reasons
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_, _ = w.Write([]byte(unsupportedResponseModePage))
+		s.putResult(Result{Err: fmt.Errorf("response was received via a GET operation, which is not supported")})
+		return
+	}
+
+	// For form_post response mode, parameters come in the POST body
+	if err := r.ParseForm(); err != nil {
+		s.error(w, http.StatusBadRequest, "failed to parse form data: %v", err)
+		return
+	}
 
-	headerErr := q.Get("error")
+	headerErr := r.PostFormValue("error")
 	if headerErr != "" {
-		desc := html.EscapeString(q.Get("error_description"))
+		desc := html.EscapeString(r.PostFormValue("error_description"))
 		escapedHeaderErr := html.EscapeString(headerErr)
 		// Note: It is a little weird we handle some errors by not going to the failPage. If they all should,
 		// change this to s.error() and make s.error() write the failPage instead of an error code.
@@ -152,7 +180,7 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	respState := q.Get("state")
+	respState := r.PostFormValue("state")
 	switch respState {
 	case s.reqState:
 	case "":
@@ -163,9 +191,9 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	code := q.Get("code")
+	code := r.PostFormValue("code")
 	if code == "" {
-		s.error(w, http.StatusInternalServerError, "authorization code missing in query string")
+		s.error(w, http.StatusInternalServerError, "authorization code missing in response")
 		return
 	}
 
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
index debd465db..db6f8b42e 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
@@ -20,6 +20,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+
+	msalerrors "github.com/AzureAD/microsoft-authentication-library-for-go/apps/errors"
 )
 
 const (
@@ -61,6 +63,9 @@ var aadTrustedHostList = map[string]bool{
 	"login.microsoft.com":              true,
 	"sts.windows.net":                  true,
 	"login.usgovcloudapi.net":          true,
+	"login.sovcloud-identity.fr":       true, // Bleu (France sovereign cloud)
+	"login.sovcloud-identity.de":       true, // Delos (Germany sovereign cloud)
+	"login.sovcloud-identity.sg":       true, // GovSG (Singapore sovereign cloud)
 }
 
 // TrustedHost checks if an AAD host is trusted/valid.
@@ -607,6 +612,14 @@ func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (I
 
 		endpoint := fmt.Sprintf(aadInstanceDiscoveryEndpoint, discoveryHost)
 		err = c.Comm.JSONCall(ctx, endpoint, http.Header{}, qv, nil, &resp)
+		if err != nil {
+			var callErr msalerrors.CallErr
+			if errors.As(err, &callErr) && callErr.Resp != nil && callErr.Resp.StatusCode == http.StatusBadRequest {
+				if strings.Contains(callErr.Err.Error(), "invalid_instance") {
+					return resp, fmt.Errorf("invalid_instance: the authority host is not valid: %w", err)
+				}
+			}
+		}
 	}
 	return resp, err
 }
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/known_metadata.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/known_metadata.go
new file mode 100644
index 000000000..70e83bd71
--- /dev/null
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/known_metadata.go
@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+package authority
+
+// GetKnownMetadata returns the known instance discovery metadata for the given
+// host, if any. Each call returns a fresh struct with its own Aliases slice,
+// so callers may freely modify the result without affecting future calls.
+func GetKnownMetadata(host string) (InstanceDiscoveryMetadata, bool) {
+	switch host {
+	// Public Cloud
+	case "login.microsoftonline.com", "login.windows.net", "login.microsoft.com", "sts.windows.net":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login.microsoftonline.com",
+			PreferredCache:   "login.windows.net",
+			Aliases:          []string{"login.microsoftonline.com", "login.windows.net", "login.microsoft.com", "sts.windows.net"},
+		}, true
+	// China Cloud
+	case "login.partner.microsoftonline.cn", "login.chinacloudapi.cn":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login.partner.microsoftonline.cn",
+			PreferredCache:   "login.partner.microsoftonline.cn",
+			Aliases:          []string{"login.partner.microsoftonline.cn", "login.chinacloudapi.cn"},
+		}, true
+	// Germany Cloud (legacy)
+	case "login.microsoftonline.de":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login.microsoftonline.de",
+			PreferredCache:   "login.microsoftonline.de",
+			Aliases:          []string{"login.microsoftonline.de"},
+		}, true
+	// US Government Cloud
+	case "login.microsoftonline.us", "login.usgovcloudapi.net":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login.microsoftonline.us",
+			PreferredCache:   "login.microsoftonline.us",
+			Aliases:          []string{"login.microsoftonline.us", "login.usgovcloudapi.net"},
+		}, true
+	// US Regional
+	case "login-us.microsoftonline.com":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login-us.microsoftonline.com",
+			PreferredCache:   "login-us.microsoftonline.com",
+			Aliases:          []string{"login-us.microsoftonline.com"},
+		}, true
+	// Bleu (France sovereign cloud)
+	case "login.sovcloud-identity.fr":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login.sovcloud-identity.fr",
+			PreferredCache:   "login.sovcloud-identity.fr",
+			Aliases:          []string{"login.sovcloud-identity.fr"},
+		}, true
+	// Delos (Germany sovereign cloud)
+	case "login.sovcloud-identity.de":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login.sovcloud-identity.de",
+			PreferredCache:   "login.sovcloud-identity.de",
+			Aliases:          []string{"login.sovcloud-identity.de"},
+		}, true
+	// GovSG (Singapore sovereign cloud)
+	case "login.sovcloud-identity.sg":
+		return InstanceDiscoveryMetadata{
+			PreferredNetwork: "login.sovcloud-identity.sg",
+			PreferredCache:   "login.sovcloud-identity.sg",
+			Aliases:          []string{"login.sovcloud-identity.sg"},
+		}, true
+	default:
+		return InstanceDiscoveryMetadata{}, false
+	}
+}
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/comm.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/comm.go
index 790680366..87e38798a 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/comm.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/comm.go
@@ -35,7 +35,7 @@ type HTTPClient interface {
 	CloseIdleConnections()
 }
 
-// Client provides a wrapper to our *http.Client that handles compression and serialization needs.
+// Client provides a wrapper to our *http.Client that handles serialization needs.
 type Client struct {
 	client HTTPClient
 }
@@ -50,9 +50,9 @@ func New(httpClient HTTPClient) *Client {
 }
 
 // JSONCall connects to the REST endpoint passing the HTTP query values, headers and JSON conversion
-// of body in the HTTP body. It automatically handles compression and decompression with gzip. The response is JSON
-// unmarshalled into resp. resp must be a pointer to a struct. If the body struct contains a field called
-// "AdditionalFields" we use a custom marshal/unmarshal engine.
+// of body in the HTTP body. The response is JSON unmarshalled into resp. resp must be a pointer to
+// a struct. If the body struct contains a field called "AdditionalFields" we use a custom
+// marshal/unmarshal engine.
 func (c *Client) JSONCall(ctx context.Context, endpoint string, headers http.Header, qv url.Values, body, resp interface{}) error {
 	if qv == nil {
 		qv = url.Values{}
@@ -284,25 +284,17 @@ func (c *Client) checkResp(v reflect.Value) error {
 	return nil
 }
 
-// readBody reads the body out of an *http.Response. It supports gzip encoded responses.
+// readBody reads the body out of an *http.Response. Any Content-Encoding negotiated by the
+// underlying http.Transport (typically gzip) is transparently decoded by the standard library
+// before we get here.
 func (c *Client) readBody(resp *http.Response) ([]byte, error) {
-	var reader io.Reader = resp.Body
-	switch resp.Header.Get("Content-Encoding") {
-	case "":
-		// Do nothing
-	case "gzip":
-		reader = gzipDecompress(resp.Body)
-	default:
-		return nil, fmt.Errorf("bug: comm.Client.JSONCall(): content was send with unsupported content-encoding %s", resp.Header.Get("Content-Encoding"))
-	}
-	return io.ReadAll(reader)
+	return io.ReadAll(resp.Body)
 }
 
 var testID string
 
 // addStdHeaders adds the standard headers we use on all calls.
 func addStdHeaders(headers http.Header) http.Header {
-	headers.Set("Accept-Encoding", "gzip")
 	// So that I can have a static id for tests.
 	if testID != "" {
 		headers.Set("client-request-id", testID)
@@ -311,7 +303,7 @@ func addStdHeaders(headers http.Header) http.Header {
 		headers.Set("client-request-id", uuid.New().String())
 		headers.Set("Return-Client-Request-Id", "false")
 	}
-	headers.Set("x-client-sku", "MSAL.Go")
+	headers.Set("x-client-sku", version.SKU)
 	headers.Set("x-client-os", runtime.GOOS)
 	headers.Set("x-client-cpu", runtime.GOARCH)
 	headers.Set("x-client-ver", version.Version)
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/compress.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/compress.go
deleted file mode 100644
index 4d3dbfcf0..000000000
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/compress.go
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-
-package comm
-
-import (
-	"compress/gzip"
-	"io"
-)
-
-func gzipDecompress(r io.Reader) io.Reader {
-	gzipReader, _ := gzip.NewReader(r)
-
-	pipeOut, pipeIn := io.Pipe()
-	go func() {
-		// decompression bomb would have to come from Azure services.
-		// If we want to limit, we should do that in comm.do().
-		_, err := io.Copy(pipeIn, gzipReader) //nolint
-		if err != nil {
-			// don't need the error.
-			pipeIn.CloseWithError(err) //nolint
-			gzipReader.Close()
-			return
-		}
-		if err := gzipReader.Close(); err != nil {
-			// don't need the error.
-			pipeIn.CloseWithError(err) //nolint
-			return
-		}
-		pipeIn.Close()
-	}()
-	return pipeOut
-}
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared/shared.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared/shared.go
index d8ab71356..77376d6ff 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared/shared.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared/shared.go
@@ -70,3 +70,29 @@ func (acc Account) IsZero() bool {
 
 // DefaultClient is our default shared HTTP client.
 var DefaultClient = &http.Client{}
+
+type Prompt int64
+
+const (
+	PromptNone Prompt = iota
+	PromptLogin
+	PromptSelectAccount
+	PromptConsent
+	PromptCreate
+)
+
+func (p Prompt) String() string {
+	switch p {
+	case PromptNone:
+		return "none"
+	case PromptLogin:
+		return "login"
+	case PromptSelectAccount:
+		return "select_account"
+	case PromptConsent:
+		return "consent"
+	case PromptCreate:
+		return "create"
+	}
+	return ""
+}
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version/version.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version/version.go
index 5e551abc8..40da7d5d1 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version/version.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version/version.go
@@ -4,5 +4,8 @@
 // Package version keeps the version number of the client package.
 package version
 
+// SKU is the product name of this SDK communicated to the server.
+const SKU = "MSAL.Go"
+
 // Version is the version of this client package that is communicated to the server.
-const Version = "1.4.2"
+const Version = "1.7.2"
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/managedidentity.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/managedidentity.go
index ca3de4325..ecb0fbeca 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/managedidentity.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/managedidentity.go
@@ -30,6 +30,8 @@ import (
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens"
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority"
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared"
+	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version"
+	"github.com/google/uuid"
 )
 
 // AuthResult contains the results of one token acquisition operation.
@@ -621,6 +623,9 @@ func createIMDSAuthRequest(ctx context.Context, id ID, resource string) (*http.R
 		return nil, fmt.Errorf("error creating http request %s", err)
 	}
 	req.Header.Set(metaHTTPHeaderName, "true")
+	req.Header.Set("x-client-SKU", version.SKU)
+	req.Header.Set("x-client-Ver", version.Version)
+	req.Header.Set("x-ms-client-request-id", uuid.New().String())
 	return req, nil
 }
 
diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
index 797c086cb..97c615452 100644
--- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
+++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
@@ -149,7 +149,7 @@ func New(clientID string, options ...Option) (Client, error) {
 
 // authCodeURLOptions contains options for AuthCodeURL
 type authCodeURLOptions struct {
-	claims, loginHint, tenantID, domainHint string
+	claims, loginHint, tenantID, domainHint, prompt string
 }
 
 // AuthCodeURLOption is implemented by options for AuthCodeURL
@@ -159,7 +159,7 @@ type AuthCodeURLOption interface {
 
 // AuthCodeURL creates a URL used to acquire an authorization code.
 //
-// Options: [WithClaims], [WithDomainHint], [WithLoginHint], [WithTenantID]
+// Options: [WithClaims], [WithDomainHint], [WithLoginHint], [WithTenantID], [WithPrompt]
 func (pca Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, scopes []string, opts ...AuthCodeURLOption) (string, error) {
 	o := authCodeURLOptions{}
 	if err := options.ApplyOptions(&o, opts); err != nil {
@@ -172,6 +172,7 @@ func (pca Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string,
 	ap.Claims = o.claims
 	ap.LoginHint = o.loginHint
 	ap.DomainHint = o.domainHint
+	ap.Prompt = o.prompt
 	return pca.base.AuthCodeURL(ctx, clientID, redirectURI, scopes, ap)
 }
 
@@ -526,9 +527,9 @@ func (pca Client) RemoveAccount(ctx context.Context, account Account) error {
 
 // interactiveAuthOptions contains the optional parameters used to acquire an access token for interactive auth code flow.
 type interactiveAuthOptions struct {
-	claims, domainHint, loginHint, redirectURI, tenantID string
-	openURL                                              func(url string) error
-	authnScheme                                          AuthenticationScheme
+	claims, domainHint, loginHint, redirectURI, tenantID, prompt string
+	openURL                                                      func(url string) error
+	authnScheme                                                  AuthenticationScheme
 }
 
 // AcquireInteractiveOption is implemented by options for AcquireTokenInteractive
@@ -590,6 +591,33 @@ func WithDomainHint(domain string) interface {
 	}
 }
 
+// WithPrompt adds the IdP prompt query parameter in the auth url.
+func WithPrompt(prompt shared.Prompt) interface {
+	AcquireInteractiveOption
+	AuthCodeURLOption
+	options.CallOption
+} {
+	return struct {
+		AcquireInteractiveOption
+		AuthCodeURLOption
+		options.CallOption
+	}{
+		CallOption: options.NewCallOption(
+			func(a any) error {
+				switch t := a.(type) {
+				case *authCodeURLOptions:
+					t.prompt = prompt.String()
+				case *interactiveAuthOptions:
+					t.prompt = prompt.String()
+				default:
+					return fmt.Errorf("unexpected options type %T", a)
+				}
+				return nil
+			},
+		),
+	}
+}
+
 // WithRedirectURI sets a port for the local server used in interactive authentication, for
 // example http://localhost:port. All URI components other than the port are ignored.
 func WithRedirectURI(redirectURI string) interface {
@@ -674,7 +702,11 @@ func (pca Client) AcquireTokenInteractive(ctx context.Context, scopes []string,
 	authParams.LoginHint = o.loginHint
 	authParams.DomainHint = o.domainHint
 	authParams.State = uuid.New().String()
-	authParams.Prompt = "select_account"
+	if o.prompt != "" {
+		authParams.Prompt = o.prompt
+	} else {
+		authParams.Prompt = shared.PromptSelectAccount.String()
+	}
 	if o.authnScheme != nil {
 		authParams.AuthnScheme = o.authnScheme
 	}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index c84d2f2ed..18d48922e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -54,7 +54,7 @@ github.com/Azure/azure-sdk-for-go/sdk/internal/uuid
 ## explicit; go 1.16
 github.com/Azure/go-ansiterm
 github.com/Azure/go-ansiterm/winterm
-# github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0
+# github.com/AzureAD/microsoft-authentication-library-for-go v1.7.2
 ## explicit; go 1.18
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential