Limit Microsoft OAuth authentication to only authenticate webapplication, not all microsoft services

Question

I am using firebase for a website, where users can sign in with their microsoft accounts via OAuth 2.0:

import {getAuth, signInWithRedirect, OAuthProvider} from "firebase/auth";

(...)

const provider = new OAuthProvider('microsoft.com');
const auth = getAuth();
signInWithRedirect(auth, provider);

It prompts the Microsoft Single Sign-on with a redirection work-flow.

The authentification works nice with firebase, except one detail: When I sign in with the Microsoft account in the browser for the webapplication, I am also signed in to my complete Office 365 account in the background and other potential microsoft sites.

So if I open a new tab and go to the my Outlook 365 online mail, then I am already logged in since I logged into my webapplication. If I happen to forget to log out from the webapplication, my entire mailbox, calendar with all the microsoft account information are exposed.

I have looked through all the pages and settings in the Azure Portal where I set up application/tenant id's, looked at Scopes and looked at OAuth 2.0 parameters from the Mirosoft documentation,but I can't find anything about this issue.

Single sign-on is originally made as a convenience for the user, but in my case I would like to prevent it as a security measure.

How can I limit the microsoft sign-in to only authenticate in the webapp/firebase project, and nothing else?