question

Depends on what the app is supposed to do. If accessing/managing mail items and such, the Graph API can be a good match and you can restrain the permissions to specific mailboxes via application access policies: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/

EWS is another option, but if you are going to use it in the application permissions model, it cannot be scoped. You can however create a separate account just for said app to use, and limit its permissions. If the app needs to also perform management tasks, the Graph API currently doesn't cover a thing, so you'll have to use PowerShell and limit it via management scopes and such.

Hi @KyleBarr-8515, You can choose to go with delegated or application permissions based on how the application is going to access the resources.

Delegated permissions should be used when you want the application to perform certain actions on behalf of a user. For example, allow application to access directory data as signed in user.

Application permissions should be used when there is no user involved in the process. In case the application authenticates using client_credentials flow and gets a token issued to the application itself. In this case application will access directory data in it own context and not on behalf of a user.

Is there a way to automatically grant permission to a small set of users?
This is possible if each use in that specific set provides consent to the application to access resources on their behalf or an admin adds the specific set of users to a specific directory role. You cannot provide admin consent to grant permissions to a specific set of users. Admin consent grants approved access for all users in the tenant.

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.