office 365 – Microsoft Graph API for registering the SharePoint Online App

There are two types of permissions for OAuth "world" (and also in Office 365 Graph).

The first is the authority of your application. This is a set of permissions that you can select during app registration and change in the Azure portal.

The second is the user privilege.

How do they correlate?

It depends on the type of authentication flow you are using.

To the Client credentials Only flow app permissions are used. This type of authentication flow usually involves only ClientId and ClientSecret and does not require any user interaction. It is useful and is usually used for daemon services, scheduled processes, etc. (if there is no user). These types of permissions are called application permissions in the Azure portal.

To the Access code The flow endpoint (in your case, MS Graph) analyzes the effective permissions of your application (you set the permissions on the Azure portal) and your user. For example, if your app has "write permissions" to SharePoint, but your user can only read, an HTTP request with the forbidden response will fail. Because effective permissions are being read (lowest possible between your app and a user). In the Azure portal, these permissions are called delegated permissions

What type of authentication does your app use? I have no experience with Android development, but based on this article and other examples Access code flow. This means that all your http requests to MS Grpah (or whatever other endpoints) are subject to valid permissions between a user who initiated this call and your app.