Root "roles" claim set by Azure AD enterprise connection is empty in rules

When using an Azure AD connection it passes its roles configuration as a “roles claim” on the root level. This claim can also be viewed on the users’s raw jason file.

I wanted to grab this roles claim with a rule and put it in the users app_metadata property. However this claim is empty inside of a rule.

function setRolesToUser(user, context, callback) {
  user.app_metadata = user.app_metadata || {};
  //get the roles claim from the current user and put it in the app_metadata claim
  user.app_metadata.roles = user.roles || {};
  console.log("This user has the following roles:" + JSON.stringify(user.roles));
  auth0.users.updateAppMetadata(user.user_id, user.app_metadata).then(function () {
      context.idToken[''] = user.app_metadata.roles;
      callback(null, user, context);
    .catch(function (err) {

Is this by design? Does the roles claim on root level get removed before it hits the rules? I’m also on the starter (legacy) subscription, might that be a reason why?
Sadly there is no way of telling Azure AD to use a different claim to provide the roles information in.

Can someone please help?