diff --git a/config/microsoft-graph.hcl b/config/microsoft-graph.hcl
index 2d4db8bbf8a..b0d5c8f0ab6 100644
--- a/config/microsoft-graph.hcl
+++ b/config/microsoft-graph.hcl
@@ -6,11 +6,6 @@ service "administrativeUnits" {
   available = ["beta"]
 }
 
-service "appRoleAssignments" {
-  name      = "AppRoleAssignments"
-  available = ["beta"]
-}
-
 service "applications" {
   name      = "Applications"
   available = ["stable", "beta"]
diff --git a/submodules/msgraph-metadata b/submodules/msgraph-metadata
index 1c4023e9efb..27f1b898503 160000
--- a/submodules/msgraph-metadata
+++ b/submodules/msgraph-metadata
@@ -1 +1 @@
-Subproject commit 1c4023e9efb074f6685e04571282b6c803a5d97d
+Subproject commit 27f1b898503fb2f2f498cea7dd28324c5802e1a9
diff --git a/tools/importer-msgraph-metadata/components/parser/resourceids.go b/tools/importer-msgraph-metadata/components/parser/resourceids.go
index 12708ef85da..a08348901f5 100644
--- a/tools/importer-msgraph-metadata/components/parser/resourceids.go
+++ b/tools/importer-msgraph-metadata/components/parser/resourceids.go
@@ -226,7 +226,7 @@ func (r ResourceId) FullyQualifiedResourceName(suffixQualification *string) (*st
 	}
 
 	// TODO: it would be nice to do this but it's causing some clobbering issues
-	//name = normalize.DeDuplicateName(name)
+	// name = normalize.DeDuplicateName(name)
 
 	return &name, true
 }
@@ -334,24 +334,29 @@ func NewResourceId(path string, tags []string) (id ResourceId) {
 	for i, s := range segments {
 		var segment ResourceIdSegment
 
-		if strings.HasPrefix(s, "{") && strings.HasSuffix(s, "}") {
-			value := s[1 : len(s)-1]
-			field := normalize.CleanName(value)
-			value = normalize.CleanNameCamel(value)
-			segment = ResourceIdSegment{
-				Type:  SegmentUserValue,
-				Value: fmt.Sprintf("{%s}", value),
-				field: &field,
+		switch {
+		case strings.HasPrefix(s, "{") && strings.HasSuffix(s, "}"):
+			{
+				value := s[1 : len(s)-1]
+				field := normalize.CleanName(value)
+				value = normalize.CleanNameCamel(value)
+				segment = ResourceIdSegment{
+					Type:  SegmentUserValue,
+					Value: fmt.Sprintf("{%s}", value),
+					field: &field,
+				}
 			}
-		} else if strings.Contains(s, "(") {
-			// Note: this will need updating if we are going to support complex user values such as `applications(appId='{appId}')`
-			segment = ResourceIdSegment{
-				Type:  SegmentFunction,
-				Value: s,
-				field: nil,
+		case strings.Contains(s, "("):
+			{
+				// Note: this will need updating if we are going to support complex user values such as `applications(appId='{appId}')`
+				segment = ResourceIdSegment{
+					Type:  SegmentFunction,
+					Value: s,
+					field: nil,
+				}
 			}
-		} else if strings.HasPrefix(strings.ToLower(s), "microsoft.graph.") || strings.HasPrefix(strings.ToLower(s), "graph.") {
-			if tagSuffix(".actions") {
+		case strings.HasPrefix(strings.ToLower(s), "microsoft.graph.") || strings.HasPrefix(strings.ToLower(s), "graph."):
+			{
 				value := s
 				if strings.HasPrefix(strings.ToLower(value), "microsoft.graph.") {
 					value = value[16:]
@@ -367,37 +372,39 @@ func NewResourceId(path string, tags []string) (id ResourceId) {
 					Value: value,
 					field: nil,
 				}
-			} else {
+			}
+		case strings.HasPrefix(s, "$"):
+			{
 				segment = ResourceIdSegment{
-					Type:  SegmentCast,
+					Type:  SegmentODataReference,
 					Value: s,
 					field: nil,
 				}
 			}
-		} else if strings.HasPrefix(s, "$") {
-			segment = ResourceIdSegment{
-				Type:  SegmentODataReference,
-				Value: s,
-				field: nil,
-			}
-		} else if i == len(segments)-1 && tagSuffix(".actions") {
-			segment = ResourceIdSegment{
-				Type:  SegmentAction,
-				Value: s,
-				field: nil,
+		case i == len(segments)-1 && tagSuffix(".actions"):
+			{
+				segment = ResourceIdSegment{
+					Type:  SegmentAction,
+					Value: s,
+					field: nil,
+				}
 			}
-		} else if i == len(segments)-1 && tagSuffix(".functions") {
-			segment = ResourceIdSegment{
-				Type:  SegmentFunction,
-				Value: s,
-				field: nil,
+		case i == len(segments)-1 && tagSuffix(".functions"):
+			{
+				segment = ResourceIdSegment{
+					Type:  SegmentFunction,
+					Value: s,
+					field: nil,
+				}
 			}
-		} else {
-			segment = ResourceIdSegment{
-				Type:   SegmentLabel,
-				Value:  s,
-				field:  nil,
-				plural: normalize.Pluralize(s) == s,
+		default:
+			{
+				segment = ResourceIdSegment{
+					Type:   SegmentLabel,
+					Value:  s,
+					field:  nil,
+					plural: normalize.Pluralize(s) == s,
+				}
 			}
 		}
 
diff --git a/tools/importer-msgraph-metadata/components/tags/tags.go b/tools/importer-msgraph-metadata/components/tags/tags.go
index e8c6a6a4b7b..bc118f8789c 100644
--- a/tools/importer-msgraph-metadata/components/tags/tags.go
+++ b/tools/importer-msgraph-metadata/components/tags/tags.go
@@ -22,13 +22,23 @@ func Parse(tags openapi3.Tags) (services ServiceTags, err error) {
 		}
 		if tag.Name != "" {
 			t := strings.Split(tag.Name, ".")
-			if len(t) != 2 {
+			switch len(t) {
+			case 2:
+				if _, ok := services[t[0]]; !ok {
+					services[t[0]] = make([]string, 0)
+				}
+				services[t[0]] = append(services[t[0]], t[1])
+
+			case 3:
+				if _, ok := services[t[0]]; !ok {
+					services[t[0]] = make([]string, 0)
+				}
+				services[t[0]] = append(services[t[0]], t[2])
+
+			default:
 				return nil, fmt.Errorf("encountered malformed tag: %q", tag.Name)
+
 			}
-			if _, ok := services[t[0]]; !ok {
-				services[t[0]] = make([]string, 0)
-			}
-			services[t[0]] = append(services[t[0]], t[1])
 		}
 	}
 	return
diff --git a/tools/importer-msgraph-metadata/components/workarounds/workaround_conditionalaccesspolicy.go b/tools/importer-msgraph-metadata/components/workarounds/workaround_conditionalaccesspolicy.go
deleted file mode 100644
index 127eed29ebc..00000000000
--- a/tools/importer-msgraph-metadata/components/workarounds/workaround_conditionalaccesspolicy.go
+++ /dev/null
@@ -1,116 +0,0 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
-
-package workarounds
-
-import (
-	"fmt"
-
-	"github.com/hashicorp/go-azure-helpers/lang/pointer"
-	"github.com/hashicorp/pandora/tools/importer-msgraph-metadata/components/parser"
-)
-
-var _ dataWorkaround = workaroundConditionalAccessPolicy{}
-
-// workaroundConditionalAccessPolicy adds missing fields and fixes some field types.
-type workaroundConditionalAccessPolicy struct{}
-
-func (workaroundConditionalAccessPolicy) Name() string {
-	return "Conditional Access Policy / fixing missing fields and types"
-}
-
-func (workaroundConditionalAccessPolicy) Process(apiVersion string, models parser.Models, constants parser.Constants, resourceIds parser.ResourceIds) error {
-	model, ok := models["microsoft.graph.conditionalAccessPolicy"]
-	if !ok {
-		return fmt.Errorf("`ConditionalAccessPolicy` model not found")
-	}
-
-	// `grantControls` and `sessionControls` must be null to unset them, so make them nullable + required
-	if _, ok = model.Fields["grantControls"]; !ok {
-		return fmt.Errorf("`GrantControls` field not found")
-	}
-	model.Fields["grantControls"].Nullable = true
-	model.Fields["grantControls"].Required = true
-	if _, ok = model.Fields["sessionControls"]; !ok {
-		return fmt.Errorf("`SessionControls` field not found")
-	}
-	model.Fields["sessionControls"].Nullable = true
-	model.Fields["sessionControls"].Required = true
-
-	model, ok = models["microsoft.graph.conditionalAccessConditionSet"]
-	if !ok {
-		return fmt.Errorf("`ConditionalAccessConditionSet` model not found")
-	}
-
-	// `devices`, `locations`, `platforms` must each be null to unset them, so make them nullable + required
-	if _, ok = model.Fields["devices"]; !ok {
-		return fmt.Errorf("`Devices` field not found")
-	}
-	model.Fields["devices"].Nullable = true
-	model.Fields["devices"].Required = true
-	if _, ok = model.Fields["locations"]; !ok {
-		return fmt.Errorf("`Locations` field not found")
-	}
-	model.Fields["locations"].Nullable = true
-	model.Fields["locations"].Required = true
-	if _, ok = model.Fields["platforms"]; !ok {
-		return fmt.Errorf("`Platforms` field not found")
-	}
-	model.Fields["platforms"].Nullable = true
-	model.Fields["platforms"].Required = true
-
-	model, ok = models["microsoft.graph.conditionalAccessExternalTenants"]
-	if !ok {
-		return fmt.Errorf("`ConditionalAccessExternalTenants` model not found")
-	}
-
-	// Add the `members` field if missing
-	if _, ok = model.Fields["members"]; !ok {
-		model.Fields["members"] = &parser.ModelField{
-			Name:     "Members",
-			Type:     pointer.To(parser.DataTypeArray),
-			ItemType: pointer.To(parser.DataTypeString),
-		}
-	}
-
-	// Set CSV type for field
-	model, ok = models["microsoft.graph.conditionalAccessGuestsOrExternalUsers"]
-	if !ok {
-		return fmt.Errorf("`ConditionalAccessGuestsOrExternalUsers` model not found")
-	}
-	if _, ok = model.Fields["guestOrExternalUserTypes"]; !ok {
-		return fmt.Errorf("`GuestOrExternalUserTypes` field not found")
-	}
-	//model.Fields["guestOrExternalUserTypes"].Type = pointer.To(parser.DataTypeCsv)
-
-	model, ok = models["microsoft.graph.conditionalAccessSessionControls"]
-	if !ok {
-		return fmt.Errorf("`ConditionalAccessSessionControls` model not found")
-	}
-
-	// `cloudAppSecurityPolicy` must be null to unset it, so make it nullable + required
-	if _, ok = model.Fields["cloudAppSecurity"]; !ok {
-		return fmt.Errorf("`CloudAppSecurity` field not found")
-	}
-	model.Fields["cloudAppSecurity"].Nullable = true
-	model.Fields["cloudAppSecurity"].Required = true
-
-	model, ok = models["microsoft.graph.conditionalAccessUsers"]
-	if !ok {
-		return fmt.Errorf("`ConditionalAccessUsers` model not found")
-	}
-
-	// `excludeGuestsOrExternalUsers` / `includeGuestsOrExternalUsers` must be null to unset them, so make them nullable + required
-	if _, ok = model.Fields["excludeGuestsOrExternalUsers"]; !ok {
-		return fmt.Errorf("`ExcludeGuestsOrExternalUsers` field not found")
-	}
-	model.Fields["excludeGuestsOrExternalUsers"].Nullable = true
-	model.Fields["excludeGuestsOrExternalUsers"].Required = true
-	if _, ok = model.Fields["includeGuestsOrExternalUsers"]; !ok {
-		return fmt.Errorf("`IncludeGuestsOrExternalUsers` field not found")
-	}
-	model.Fields["includeGuestsOrExternalUsers"].Nullable = true
-	model.Fields["includeGuestsOrExternalUsers"].Required = true
-
-	return nil
-}
diff --git a/tools/importer-msgraph-metadata/components/workarounds/workarounds.go b/tools/importer-msgraph-metadata/components/workarounds/workarounds.go
index bea50375ee5..68c393e7c38 100644
--- a/tools/importer-msgraph-metadata/components/workarounds/workarounds.go
+++ b/tools/importer-msgraph-metadata/components/workarounds/workarounds.go
@@ -20,7 +20,6 @@ var workarounds = []dataWorkaround{
 	// Model-specific workarounds
 	workaroundAccessPackageResourceRoleScope{},
 	workaroundApplication{},
-	workaroundConditionalAccessPolicy{},
 	workaroundOAuth2PermissionGrant{},
 	workaroundUnifiedRoleAssignment{},
 }