Assigning role after oauth 1st sign-in

I’m using an Azure Active Directory service to authenticate. When a shadow user does not already exist, one is created when a new user first logs in. I’d like to intercept that registration service to assign custom roles to users. I plan to use a separate table to assign roles.

This post was very helpful:

Now I can dynamically assign roles after a standard registration using an event script at

var lodash = require("lodash.min.js");
if ( === 4 && platform.session.user) {
  var userObject = platform.api.get('system/user/''?related=user_to_app_to_role_by_user_id');
  var userApp = lodash._.find(userObject.content.user_to_app_to_role_by_user_id, { 'app_id': 4 });
  // change role to 1 for testing
  userApp.role_id = 1;
  platform.api.patch('system/user/''?related=user_to_app_to_role_by_user_id', userObject.content);

I assumed this would work for my Azure AD service as well, since I’m guessing it is calling that same service at some point. But it doesn’t work. So I’m wondering where I need to add the event script in order to intercept the Azure AD user registration.