How to obtain a "fresh" waad token on user login

I’m maintaining an enterprise Auth0 setup, where we have an integration to waad (windows azure active directory). Is it documented somewhere if I get a fresh token to consume the Microsoft Graph api on every user login?

I have “found” a token under the users identity, but this token does not “refresh” on a new login, and is therefore useless the second time.

How I currently get the token, when processing logins with an Auth0 rule:

const waadIdentity = user.identities.find((v) => v.provider === 'waad');
accessToken = waadIdentity['access_token'];

Where should I get the token from instead?