This is related to your permission type. If your permission is a delegated permission, you can dynamically agree to a specific delegated permission on the administrator consent page: scope=https://graph.microsoft.com/calendars.readwrite.
If your permissions are application permissions, you can only request the static /.default scope, which will require the administrator to consent to all permissions in the tenant: scope=https://graph.microsoft.com/.default.
See the document, there are detailed instructions:
At this point, Azure AD requires a tenant administrator to sign in to
complete the request. The administrator is asked to approve all the
permissions that you have requested in the scope parameter. If you've
used a static (/.default) value, it will function like the v1.0 admin
consent endpoint and request consent for all scopes found in the
required permissions (both user and app). In order to request app
permissions, you must use the /.default value. If you don't want
admins to see a given permission in the admin consent screen all the
time when you use /.default, the best practice is to not put the
permission in the required permissions section. Instead you can use
dynamic consent to add the permissions you want to be in the consent
screen at run time, rather than using /.default.
