OK, got OAuth2 working against Azure AD. The ultimate configuration looks as follows:

OAuthServerSettings.OAuth2ServerSettings(
                // configUrl = <https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration>
                name = "AzureAD",
                authorizeUrl = "<https://login.microsoftonline.com/common/oauth2/v2.0/authorize>",
                accessTokenUrl = "<https://login.microsoftonline.com/common/oauth2/v2.0/token>",
                clientId = "<client-app-id>",
                clientSecret = "<client-app-secret>",
                defaultScopes = listOf("openid", "profile", "offline_access", "api://<server-app-id>/access_as_user"),
                requestMethod = <http://HttpMethod.Post|HttpMethod.Post>
        )

where client-app-id is the registered web app or native client that is attempting to get an access token to the server app, which is specified by server-app-id. Both apps need to be registered under

<http://apps.dev.microsoft.com|apps.dev.microsoft.com>

The end result of this is the

access_token

that is issued by Microsoft Azure AD for my <server-app-id>, and I can verify that using a JWK.