In general, there are two choices for graph API permission. User scope requires an individual user to consent to the permission (or an admin to consent for everyone), and application permissions require an admin to consent for the entire tenant. The issue is that often an application will need application permissions, but most tenant admins don't want to grant permission to the entire tenant, and would rather do so for a scoped group of users. A better middle ground would be a way to grant application permission to a scoped list of users, groups etc, similar to an AD policy being granted. This way, something like Mail.ReadWrite could be granted at the application level to a specific group of mailboxes, or Presence.Write could be scoped to members of a specific group/team.