It seems that microsoft will not issue JWT access tokens for personal accounts.
In Azure AD I created an app registration with the type 'Personal Microsoft accounts only'.
My SPA uses that app registration and I can authenticate against it.
After authenticating my SPA receives an id token and an access token.
But the access token does not look like a JsonWebToken.
AFAIK access tokens start always with the characters 'eyJ', but the issued token from Azure AD starts with 'EwC' and when I debug the access token on jwt.ms the console tells me 'Invalid token specified: Unexpected token'.
But this is only the case if I choose the account type 'Personal Microsoft accounts only'.
It works if I'm using the type 'Accounts in this organizational directory only'.
When I send the invalid token to my REST Api I get a 401 response with the header WWW-Authenticate: Bearer error="invalid_token"
.
The api is configured to accept JWT Bearer tokens and uses the same Azure AD app registration.
Calling the OAuth userinfo enpoint with the issued token works fine.
Is there a way to get JWT access tokens with personal Microsoft accounts?
Reading the friendly manual (RTFM) has answered my question.
I had to create two app registrations in the azure portal.
One for my SPA and one for my REST API and then give my SPA permissions to access the REST API.
It is well described here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
When sending the initial authentication request the scope must include the permission that was granted to my REST API.
The response will contain the JWT access token that is issued for the REST API.