Multi-tenant app requesting access to azure resources under subscription

Question

Good day there! I have a multi tenant app. Registered in my tenant, which is named 'home tenant' in azure docs. I want this app to be available to be used by multiple clients who have Azure. Using oauth2 it works great if my app is only using graph APIs because I can set the scopes (when requesting the access token for my app) to some msgraph granular scopes, like 'https://graph.microsoft.com/User.Read.All' for example. But, I want the app to be able to 'touch' the client given subscription. For a better explanation, let's assume my app will create an eventhub namespace with an eventhub under that namespace. This is my app functionality. One of the approach would be, when asking for access token, to set the scopes to 'https://management.azure.com/user_impersonation'. Basically, if the user (client) who grants permission to my app has a RBAC role which is 'strong' enough to create eventhub namespace (+eventhub) then it will work wonder. But, I dislike this approach. Basically, when my app requests a token, the client will be asked "hey what about giving all your permissions to this app?". Now if that's an administrator with sensitive permissions it will think twice before giving the very same permissions to my app. And truth be told why would he/she give such sensitive permissions to my app which only need permissions to create an eventhub!? Thus, I'm looking for a way to fine set the scope when I'm asking for the access token. I do NOT want to ask for user_impersonation, that's WAY too much. I want to ask for granular permissions (something like https://management.azure.com/Eventhub.Write for example (does this exists?) ) but i fail to understand how can I do this. If somebody here knows and would like to share with me I kindly please you to do so! Thank you!