diff --git a/msgraph/conditionalaccesspolicy_test.go b/msgraph/conditionalaccesspolicy_test.go
index 18a05dbf..59bd62bb 100644
--- a/msgraph/conditionalaccesspolicy_test.go
+++ b/msgraph/conditionalaccesspolicy_test.go
@@ -1,6 +1,7 @@
 package msgraph_test
 
 import (
+	"encoding/json"
 	"fmt"
 	"testing"
 
@@ -198,3 +199,78 @@ func testUser_Delete(t *testing.T, c *test.Test, user *msgraph.User) {
 		t.Fatalf("UsersClient.Delete() - Could not delete test user: %v", err)
 	}
 }
+
+func assertJsonMarshalEquals(t *testing.T, value interface{}, expected string) {
+	bytes, err := json.MarshalIndent(value, "", "  ")
+	if err != nil {
+		t.Fatalf("Marshalling failed with error %s", err)
+	}
+	actual := string(bytes)
+	if actual != expected {
+		t.Errorf("Expected marshalled json to equal %s but was %s", expected, actual)
+	}
+}
+
+func TestConditionalAccessPolicy_MarshalConditionsUsersGuestsOrExternalUsersNull(t *testing.T) {
+	usersCondition := &msgraph.ConditionalAccessUsers{}
+	expected := `{
+  "includeGuestsOrExternalUsers": null,
+  "excludeGuestsOrExternalUsers": null
+}`
+	assertJsonMarshalEquals(t, usersCondition, expected)
+}
+
+func TestConditionalAccessPolicy_MarshalConditionsUsersGuestsOrExternalUsersAll(t *testing.T) {
+	usersCondition := &msgraph.ConditionalAccessUsers{
+		IncludeGuestsOrExternalUsers: &msgraph.ConditionalAccessGuestsOrExternalUsers{
+			GuestOrExternalUserTypes: &[]string{
+				msgraph.ConditionalAccessGuestOrExternalUserTypeInternalGuest,
+				msgraph.ConditionalAccessGuestOrExternalUserTypeServiceProvider,
+			},
+			ExternalTenants: &msgraph.ConditionalAccessExternalTenants{
+				MembershipKind: utils.StringPtr(msgraph.ConditionalAccessExternalTenantsMembershipKindAll),
+			},
+		},
+	}
+	expected := `{
+  "includeGuestsOrExternalUsers": {
+    "guestOrExternalUserTypes": "internalGuest,serviceProvider",
+    "externalTenants": {
+      "@odata.type": "#microsoft.graph.conditionalAccessAllExternalTenants",
+      "membershipKind": "all"
+    }
+  },
+  "excludeGuestsOrExternalUsers": null
+}`
+	assertJsonMarshalEquals(t, usersCondition, expected)
+}
+
+func TestConditionalAccessPolicy_MarshalConditionsUsersGuestsOrExternalUsersEnumerated(t *testing.T) {
+	usersCondition := &msgraph.ConditionalAccessUsers{
+		IncludeGuestsOrExternalUsers: &msgraph.ConditionalAccessGuestsOrExternalUsers{
+			GuestOrExternalUserTypes: &[]string{
+				msgraph.ConditionalAccessGuestOrExternalUserTypeInternalGuest,
+				msgraph.ConditionalAccessGuestOrExternalUserTypeServiceProvider,
+			},
+			ExternalTenants: &msgraph.ConditionalAccessExternalTenants{
+				MembershipKind: utils.StringPtr(msgraph.ConditionalAccessExternalTenantsMembershipKindEnumerated),
+				Members:        &[]string{"member-a", "member-b"},
+			},
+		},
+	}
+	expected := `{
+  "includeGuestsOrExternalUsers": {
+    "guestOrExternalUserTypes": "internalGuest,serviceProvider",
+    "externalTenants": {
+      "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
+      "membershipKind": "enumerated",
+      "members": [
+        "member-a",
+        "member-b"
+      ]
+    }
+  },
+  "excludeGuestsOrExternalUsers": null
+}`
+	assertJsonMarshalEquals(t, usersCondition, expected)
+}
diff --git a/msgraph/models.go b/msgraph/models.go
index 11c16520..1ff62066 100644
--- a/msgraph/models.go
+++ b/msgraph/models.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/go-azure-sdk/sdk/odata"
 	"github.com/manicminer/hamilton/errors"
+	"github.com/manicminer/hamilton/internal/utils"
 )
 
 type AccessPackage struct {
@@ -709,9 +710,9 @@ type ConditionalAccessGuestsOrExternalUsers struct {
 }
 
 type ConditionalAccessExternalTenants struct {
+	ODataType      *odata.Type                                     `json:"@odata.type,omitempty"`
 	MembershipKind *ConditionalAccessExternalTenantsMembershipKind `json:"membershipKind,omitempty"`
 	Members        *[]string                                       `json:"members,omitempty"`
-
 }
 
 func (c ConditionalAccessGuestsOrExternalUsers) MarshalJSON() ([]byte, error) {
@@ -730,6 +731,28 @@ func (c ConditionalAccessGuestsOrExternalUsers) MarshalJSON() ([]byte, error) {
 		GuestOrExternalUserTypes:               val,
 		conditionalAccessGuestsOrExternalUsers: (*conditionalAccessGuestsOrExternalUsers)(&c),
 	}
+
+	const externalTenantsTypeAll = "#microsoft.graph.conditionalAccessAllExternalTenants"
+	const externalTenantsTypeEnumerated = "#microsoft.graph.conditionalAccessEnumeratedExternalTenants"
+	setExternalTenantsObjectType := func(c *conditionalAccessGuestsOrExternalUsers) {
+		if c == nil {
+			return
+		}
+		if c.ExternalTenants == nil {
+			return
+		}
+		if c.ExternalTenants.MembershipKind == nil {
+			return
+		}
+		switch *c.ExternalTenants.MembershipKind {
+		case ConditionalAccessExternalTenantsMembershipKindAll:
+			c.ExternalTenants.ODataType = utils.StringPtr(externalTenantsTypeAll)
+		case ConditionalAccessExternalTenantsMembershipKindEnumerated:
+			c.ExternalTenants.ODataType = utils.StringPtr(externalTenantsTypeEnumerated)
+		}
+	}
+	setExternalTenantsObjectType(guestOrExternalUsers.conditionalAccessGuestsOrExternalUsers)
+
 	buf, err := json.Marshal(&guestOrExternalUsers)
 	return buf, err
 }