let me explain my situation
i have one api app and two consumers
in ad
one consumer have permission for api app
but other not
but when i m trying to call both client are able to call api app
and i m calling api app using apim
for calling api i m using postman
using this as reference
https://docs.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication