When using an external service provider (Azure AD) to log into my user pool, my Cognito migrate user lambda never executes

I'm having the problem described above. Here are a few things to note:

• There's no permissions issue. I've validated that the lambda will fire and execute as a post-auth trigger (when testing with a different function handler).
• My app client is set to use USER_PASSWORD_AUTH instead of SRP.
• The lambda fires when making an AdminInitiateAuth() call directly from my C# app or the console using (aws cognito-idp admin-initiate-auth) and succeeds.
• I can see a user being created in the pool after I authenticate, but the lambda just doesn't fire.

I'm out of options. I need to know whether this will work as configured above. If not, I need a possible alternative (post auth trigger to grab some important data from my existing pool)? As it turns out, I don't need the passwords from the existing pool, just some of the attributes.

One thing I noticed: The username displayed in Cognito is always pre-pended with the provider name specified in the UI. I don't know if this matters, but it's not the desired behavior. I want the username to reflect the NAMEID in my SAML, but Cognito doesn't seem to care and throws the provider name in front of it automatically.