MicrosoftDocs
diff --git a/‎articles/api-center/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/api-center/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/api-management/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/api-management/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/api-management/authentication-authorization-overview.md
Lines changed: 1 addition & 0 deletions b/‎articles/api-management/authentication-authorization-overview.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/api-management/mitigate-owasp-api-threats.md
Lines changed: 1 addition & 0 deletions b/‎articles/api-management/mitigate-owasp-api-threats.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/api-management/protect-with-defender-for-apis.md
Lines changed: 1 addition & 0 deletions b/‎articles/api-management/protect-with-defender-for-apis.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/api-management/validate-jwt-policy.md
Lines changed: 2 additions & 2 deletions b/‎articles/api-management/validate-jwt-policy.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/azure-app-configuration/feature-management-python-reference.md
Lines changed: 2 additions & 2 deletions b/‎articles/azure-app-configuration/feature-management-python-reference.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/azure-functions/functions-bindings-event-grid-trigger.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-functions/functions-bindings-event-grid-trigger.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-maps/add-custom-protocol-pmtiles.md
Lines changed: 145 additions & 0 deletions b/‎articles/azure-maps/add-custom-protocol-pmtiles.md
Lines changed: 145 additions & 0 deletions
diff --git a/‎articles/azure-maps/media/add-custom-protocol-pmtiles/pmtiles-building.png
1.61 MB b/‎articles/azure-maps/media/add-custom-protocol-pmtiles/pmtiles-building.png
1.61 MB
@@ -90,5 +90,7 @@
   items:
       - name: Samples and labs
         href: resources.md
+      - name: Building an API security strategy
+        href: https://aka.ms/API-Security-EBook
       - name: Azure updates
         href: https://aka.ms/apic/updates
@@ -657,6 +657,8 @@
       href: /azure/architecture/best-practices/api-design?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
     - name: Web API implementation
       href: /azure/architecture/best-practices/api-implementation?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
+  - name: Building an API security strategy
+    href: https://aka.ms/API-Security-EBook    
   - name: Breaking changes and retirements
     items:
     - name: Breaking changes overview
 
@@ -154,3 +154,4 @@ While authorization is preferred, and OAuth 2.0 has become the dominant method o
 ## Next steps
 * Learn more about [authentication and authorization](../active-directory/develop/authentication-vs-authorization.md) in the Microsoft identity platform.
 * Learn how to [mitigate OWASP API security threats](mitigate-owasp-api-threats.md) using API Management.
+* Learn how to [build a comprehensive API security strategy](https://aka.ms/API-Security-EBook)   
@@ -318,5 +318,6 @@ Learn more about:
 * [Authentication and authorization in API Management](authentication-authorization-overview.md)
 * [Security baseline for API Management](/security/benchmark/azure/baselines/api-management-security-baseline)
 * [Security controls by Azure policy](security-controls-policy.md)
+* [Building a comprehensive API security strategy](https://aka.ms/API-Security-EBook)
 * [Landing zone accelerator for API Management](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator)
 * [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
@@ -112,4 +112,5 @@ You can remove APIs from protection by Defender for APIs by using Defender for C
 
 * Learn more about [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
 * Learn more about [API findings, recommendations, and alerts](/azure/defender-for-cloud/defender-for-apis-posture) in Defender for APIs
+Learn how to [build a comprehensive API security strategy](https://aka.ms/API-Security-EBook)
 * Learn how to [upgrade and scale](upgrade-and-scale.md) an API Management instance
@@ -85,7 +85,7 @@ The `validate-jwt` policy enforces existence and validity of a supported JSON we
 | Element             | Description                                                                                                                                                                                                                                                                                                                                           | Required |
 | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
 | openid-config       |Add one or more of these elements to specify a compliant OpenID configuration endpoint URL from which signing keys and issuer can be obtained.<br/><br/>Configuration including the JSON Web Key Set (JWKS) is pulled from the endpoint every 1 hour and cached. If the token being validated references a validation key (using `kid` claim) that is missing in cached configuration, or if retrieval fails, API Management pulls from the endpoint at most once per 5 min. These intervals are subject to change without notice.                                                                                                                                              <br/><br/>The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Microsoft Entra ID use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- v2 `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/>- v2 Multi-Tenant ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- v1 `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/>- Customer tenant (preview) `https://{tenant-name}.ciamlogin.com/{tenant-id}/v2.0/.well-known/openid-configuration` <br/><br/> Substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`.                                                                                                                                                                                            | No       |
-| issuer-signing-keys | A list of Base64-encoded security keys, in [`key`](#key-attributes) subelements, used to validate signed tokens. If multiple security keys are present, then each key is tried until either all are exhausted (in which case validation fails) or one succeeds (useful for token rollover). <br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To validate a token signed with an asymmetric key, optionally specify the public key using a `certificate-id` attribute with value set to the identifier of a certificate uploaded to API Management, or the RSA modulus `n` and exponent `e` pair of the signing key in Base64url-encoded format.               | No       |
+| issuer-signing-keys | A list of Base64-encoded security keys, in [`key`](#key-attributes) subelements, used to validate signed tokens. If multiple security keys are present, then each key is tried until either all are exhausted (in which case validation fails) or one succeeds (useful for token rollover). <br/><br/>Optionally, specify a key by using the `id` attribute to match the token's `kid` claim. To validate a token signed with an asymmetric key, optionally specify the public key using a `certificate-id` attribute with value set to the identifier of a certificate uploaded to API Management, or the RSA modulus `n` and exponent `e` pair of the signing key in Base64url-encoded format.               | No       |
 | decryption-keys     | A list of Base64-encoded keys, in [`key`](#key-attributes) subelements, used to decrypt the tokens. If multiple security keys are present, then each key is tried until either all keys are exhausted (in which case validation fails) or a key succeeds.<br/><br/> To decrypt a token encrypted with an asymmetric key, optionally specify the public key using a `certificate-id` attribute with value set to the identifier of a certificate uploaded to API Management.         | No       |
 | audiences           | A list of acceptable audience claims, in `audience` subelements, that can be present on the token. If multiple audience values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one audience must be specified.                                                                     | No       |
 | issuers             | A list of acceptable principals, in `issuer` subelements, that issued the token. If multiple issuer values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds.                                                                                                                                         | No       |
@@ -94,7 +94,7 @@ The `validate-jwt` policy enforces existence and validity of a supported JSON we
 ### key attributes
 | Attribute                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                            | Required                                                                         | Default                                                                           |
 | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
-| id  | (Issuer signing key only) String. Identifier used to match `kid` claim presented in JWT.  | No | N/A |
+| id  | (Issuer signing key only) String. Identifier used to match `kid` claim presented in JWT. If no keys match the claim, API Management will attempt each specified key. [Learn more about the `kid` claim in the RFC](https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4). | No | N/A |
 | certificate-id  | Identifier of a certificate entity [uploaded](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-certificate-entity#Add) to API Management, used to specify the public key to verify a token signed with an asymmetric key.   | No | N/A |
 | n | (Issuer signing key only) Modulus of the public key used to verify the issuer of a token signed with an asymmetric key. Must be specified with the value of the exponent `e`. Policy expressions aren't allowed. | No | N/A|
 | e | (Issuer signing key only) Exponent of the public key used to verify the issuer of a token signed with an asymmetric key. Must be specified with the value of the modulus `n`. Policy expressions aren't allowed. | No | N/A|
 
@@ -23,7 +23,7 @@ zone_pivot_groups: feature-management
 
 :::zone target="docs" pivot="preview-version"
 
-[![Feature Management](https://img.shields.io/pypi/v/FeatureManagement/2.0.0b1?color=blue)](https://pypi.org/project/FeatureManagement/2.0.0b1/)<br>
+[![Feature Management](https://img.shields.io/pypi/v/FeatureManagement/2.0.0b2?color=blue)](https://pypi.org/project/FeatureManagement/2.0.0b2/)<br>
 
 :::zone-end
 
@@ -54,7 +54,7 @@ As an example, a Microsoft Edge browser feature filter could be designed. This f
 
 ### Feature flag configuration
 
-A Python dictionary is used to define feature flags. The dictionary is composed of feature names as keys and feature flag objects as values. The feature flag object is a dictionary that contains an `EnabledFor` key. The `EnabledFor` key is a list of feature filters that are used to determine if the feature should be enabled.
+A Python dictionary is used to define feature flags. The dictionary is composed of feature names as keys and feature flag objects as values. The feature flag object is a dictionary that contains a `conditions` key, which itself contains the `client_filters` key. The `client_filters` key is a list of feature filters that are used to determine if the feature should be enabled.
 
 ### Feature flag declaration
 
 
@@ -44,7 +44,7 @@ The type of the input parameter used with an Event Grid trigger depends on these
 
 When running your C# function in an isolated worker process, you need to define a custom type for event properties. The following example defines a `MyEventType` class.
 
-:::code language="csharp" source="~/azure-functions-dotnet-worker/samples/Extensions/EventGrid/EventGridFunction.cs" range="35-49":::
+:::code language="csharp" source="~/azure-functions-dotnet-worker/samples/Extensions/EventGrid/EventGridFunction.cs" range="35-48":::
 
 The following example shows how the custom type is used in both the trigger and an Event Grid output binding:
 
 
@@ -0,0 +1,145 @@
+---
+title: Add custom protocol PMTiles in the Web SDK | Microsoft Azure Maps
+description: Learn how to add custom protocol PMTiles using the Web SDK.
+author: sinnypan
+ms.author: sipa
+ms.date: 10/13/2024
+ms.topic: how-to
+ms.service: azure-maps
+ms.subservice: web-sdk
+---
+
+# Add custom protocol PMTiles
+
+The Azure Maps Web SDK supports custom protocols such as [PMTiles]. The `pmtiles://` protocol is used to reference PMTiles archives, which are single-file formats for storing tiled data such as vector and raster maps. This protocol allows Azure Maps to access specific tiles within a PMTiles archive using an HTTP request, fetching only the necessary data on demand.
+
+## Add custom protocol
+
+By using the `addProtocol` function, which registers a callback triggered before any AJAX request made by the library, you can intercept, modify, and return the request for further processing and rendering. This enables the implementation of a custom callback function to load resources when a URL starts with the designated custom schema.
+
+The first step is to add a reference to the protocol. The following example references the `pmtiles` library:
+
+```html
+  <script src="https://unpkg.com/[email protected]/dist/pmtiles.js"></script>
+```
+
+Next, initialize the MapLibre PMTiles protocol.
+
+```js
+//Initialize the plugin.
+      const protocol = new pmtiles.Protocol();
+      atlas.addProtocol("pmtiles", (request) => {
+        return new Promise((resolve, reject) => {
+          const callback = (err, data) => {
+            if (err) {
+              reject(err);
+            } else {
+              resolve({ data });
+            }
+          };
+          protocol.tile(request, callback);
+        });
+      });
+```
+
+## Add PMTiles protocol
+
+To add the PMTiles protocol, hook the data source with the specified protocol URL schema. The following sample uses the [Overture] building dataset to add building data over the basemap.
+
+```js
+const PMTILES_URL = "https://overturemaps-tiles-us-west-2-beta.s3.amazonaws.com/2024-07-22/buildings.pmtiles";
+protocol.add(new pmtiles.PMTiles(PMTILES_URL));
+```
+
+## Add PMTiles as a map source
+
+PMTiles are added as a map source during the map event. Once added, the specified URL schema is available to the Azure Maps Web SDK. In the following sample, the PMTiles URL is added as a `VectorTileSource`.
+
+```js
+//Add the source to the map.
+map.sources.add(
+  new atlas.source.VectorTileSource("pmtiles", {
+    type: "vector",
+    url: `pmtiles://${PMTILES_URL}`,
+  })
+);
+```
+
+> [!NOTE]
+> Using the `pmtiles://` protocol automatically creates the `minzoom` and `maxzoom` properties for the source.
+
+## Enhance map with Overture data
+
+Overture provides a unified and comprehensive [data schema] designed to organize and structure geospatial data effectively. This schema is divided into different themes, each representing a specific type of geospatial information.
+
+The following sample uses the building theme's properties (for example, building type and height) to demonstrate building extrusion and differentiate between building categories on the basemap, rather than just showing building footprints.
+
+```js
+//Create a polygon extrusion layer.
+layer = new atlas.layer.PolygonExtrusionLayer(
+  "pmtiles",
+  "building",
+  {
+    sourceLayer: "building",
+    height: ["get", "height"],
+    fillOpacity: 0.5,
+    fillColor: [
+      "case",
+      ['==', ['get', 'subtype'], 'agricultural'],
+      "wheat",
+      ['==', ['get', 'subtype'], 'civic'],
+      "teal",
+      ['==', ['get', 'subtype'], 'commercial'],
+      "blue",
+      ['==', ['get', 'subtype'], 'education'],
+      "aqua",
+      ['==', ['get', 'subtype'], 'entertainment'],
+      "pink",
+      ['==', ['get', 'subtype'], 'industrial'],
+      "yellow",
+      ['==', ['get', 'subtype'], 'medical'],
+      "red",
+      ['==', ['get', 'subtype'], 'military'],
+      "darkgreen",
+      ['==', ['get', 'subtype'], 'outbuilding'],
+      "white",
+      ['==', ['get', 'subtype'], 'religious'],
+      "khaki",
+      ['==', ['get', 'subtype'], 'residential'],
+      "green",
+      ['==', ['get', 'subtype'], 'service'],
+      "gold",
+      ['==', ['get', 'subtype'], 'transportation'],
+      "orange",
+      "grey",
+    ],
+    filter: ['any', ['==', ['geometry-type'], 'Polygon'], ['==', ['geometry-type'], 'MultiPolygon']]
+  }
+);
+```
+
+The following image shows a screenshot displaying the extrusion of buildings of different types near Central Park in New York City.
+
+:::image type="content" source="media/add-custom-protocol-pmtiles/pmtiles-building.png"  lightbox="media/add-custom-protocol-pmtiles/pmtiles-building.png" alt-text="A screenshot demonstrating the custom protocol pmtiles.":::
+
+For a fully functional sample with source code, see [Azure Maps Samples GitHub Repo].
+
+<!--
+For more PMTiles samples, see [Azure Maps Samples].
+[Azure Maps Samples]: https://samples.azuremaps.com/?search=pmtiles
+-->
+
+## Next Steps
+
+The following articles are related to custom protocol PMTiles:
+
+> [!div class="nextstepaction"]
+> [Create Data Source](create-data-source-web-sdk.md)
+
+> [!div class="nextstepaction"]
+> [Data Driven Style Expressions](data-driven-style-expressions-web-sdk.md)
+
+[Azure Maps Samples GitHub Repo]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/PMTiles/Overture%20Building%20Theme/Buildings.html
+[data schema]: https://docs.overturemaps.org/schema
+[Overture]: https://overturemaps.org
+[PMTiles]: https://docs.protomaps.com/pmtiles