according to MS docs,

The contents of the token are intended only for the API, which means that access tokens must be treated as opaque strings.

https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens

Also

ID tokens differ from access tokens, which serve as proof of authorization. Confidential clients should validate ID tokens. You shouldn't use an ID token to call an API. [...] The claims provided by ID tokens can be used for UX inside your application, as keys in a database, and providing access to the client application.

https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens