How to get access_token from 3rd party IdP with cognito?

I have setup a signup / login flow with cognito, using azure AD as a 3rd party IdP which is working as expected.

My app will be interacting with the Microsoft graph api and therefore needs the access_token from AAD.

I saw you can setup custom attribute mapping to store fields like this on the cognito user object, but the access token exceeds the 2048 char limit, so that doesn't work.

Can I use pre token generation lambda trigger to access this token and store it in DDB?

If not, what would be the next best course of action be please?