Get rid of the concept of "Protected APIs"
The protected APIs are listed on this page: https://docs.microsoft.com/en-us/graph/teams-protected-apis
The whole process of getting permissions to use these APIs is really irritating. Why on the earth a tenant admin has access to everything, without making any additional movements, but an app should ask for special permissions directly from Microsoft? After all, the "working days" are only Wed and Fri, really? Are you so busy reading zillions of the incoming forms?