There are two things about Azure AD apps that seem to run counter to each other.
The most privileged permissions require admin consent
Admin consent grants a permission implicitly to every user in the organisation
That seems a bit backwards to me. I'm required, as an admin, to say "yes, this is okay" not for just one user, but for everyone? Indeed, for everyone without asking them? If I wanted to grant, say, Directory.ReadWrite.All for a few select users – I can't do that, I have to give that permission to everyone. That seems crazy. Is there really no way to grant admin-consent-requiring permissions to individual users, rather than to everyone?