It depends on what applications you're referring to. It really depends on Microsoft Dynamics and what you're trying to access. If the registration has application permissions, and accessing the dynamics service only requires application permissions, and one of your employees has access to get an access token from the app registration using clientid/secret, then the user will be able to access the dynamics instance with the same amount of permissions as were granted by the application registration/global admin originally.
If you want it to be based on user, you will have to follow an Auth code flow, and only allow users from X tenant to access Y Application. That is delegated permissions. For more information on the differences between application and delegated permissions please see here : https://learn.microsoft.com/en-us/azure/active-directory/develop/delegated-and-app-perms
- Frank Hu