If the idea is to restrict access to specific applications only, this can only be done via custom roles (see https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/quickstart-app-registration-limits). Graph API permissions cannot currently be restricted. It's something Microsoft is exploring for the future.
Restricting Application Permissions in Azure AD
Chaitanya Kale
40
Reputation points
Is there a way to ensure that an application has access only to its specific permissions in Azure Active Directory, rather than the broad Application.Read.All permission that grants read access to all applications in the tenant? If this is not possible, can it be confirmed that this remains the limitation as of now?