DETAILED ACTION
The following claims are pending in this office action: 1-20
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 03/25/2021 are accepted.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/19/2022 has been considered.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, an initialed and dated copy of Applicant’s IDS form 1449 filed 08/19/2022 is attached to the instant Office action. 
Claim Objections
Claims 1-16 are objected to because of the following informalities:
Claim 1-16 recites the limitation “the at least one trigger event is not is restricted” (claim 1, ln. 15; and claim 8, ln. 16). It appears that this is a typo.  Examiner suggests “is not restricted”.    
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 15 is rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 15 recites the limitation “the permissions level” (claim 15, ln. 3). This limitation lacks antecedent basis.  Examiner suggests “the second permissions level”.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-8 and 12-16 are rejected under 35 U.S.C. 103 as being unpatentable over Hausknecht, Ryan, “Defense and Detection for Attacks Within Azure”, Retrieved from: https://posts.specterops.io/ detecting-attacks-within-azure-bdc40f8c0766, February 4, 2020, pg. 1-12 (hereinafter “Hausknecht”) in view of Stoler et al. (US Pub. 2021/0073406) (hereinafter “Stoler”).

As per claim 1, Hausknecht teaches a computer-implemented method, comprising: identifying a policy definition that is configured to ([Hausknecht, pg. 1, Sec. Overview] “Whenever an operation [policy definition] is completed within Azure, an event is generated and kept [identifying] within the Activity Log service") cause generation of a computing resource ([pg. 7, Sec. Runbooks] "a Runbook [policy definition] that will provide [generation] a new account [a computing resource]") having a first permissions level that is lower than at least one second permissions level; ([pg. 7, Sec. Runbooks] "a new [a first permissions level] account and assign it to the Contributor role [second permissions level]"; [pg. 4, Sec. Defensive Approach] “Assigning the Global Contributor role to a user gives that user a great amount of access and execution capabilities [making the ‘new’ permissions level a lower level than the ‘Contributor’ permissions level]”)
determining that a user account that is assigned the at least one second permissions level ([Hausknecht, pg. 7, Sec. Runbooks] “Administrators [a user account that is assigned the at least one second permissions level] can create users in Azure AD”) has been utilized to generate a service principal ([pg. 8, Fig. 11] “create [generate] … an Azure Automation webhook [a Service Principal]”) that is configured to update the computing resource from having the first permissions level to having the at least one second permissions level; ([pg. 7, Sec. Runbooks] “creating a Runbook that will provide a new account and assign it to the Contributor role when executed”)
identifying at least one trigger event that is configured to: ([Hausknecht, pg. 1, Sec. Overview] “Whenever an operation is completed within Azure, an event [trigger event] is generated and kept [identifying] within the Activity Log service")
cause generation of the computing resource in accordance with the policy definition, and ([Hausknecht, pg. 1, Sec. Overview] “Whenever an operation is completed within Azure, an event [trigger event] is generated and kept [identifying] within the Activity Log service")
cause the service principal to update the computing resource from having the first permissions level to having the at least one second permissions level; ([Hausknecht, Fig. 3; pg. 7, Sec. Runbooks] “a Runbook that will provide a new [the first permissions level] account [computing resource] and assign it [update] to the Contributor role [to having the at least one second permissions level] when executed; a function … generates a Webhook [service principal] ...  which will run the Runbook on demand [causes]")
Hausknecht does not clearly teach determining whether the at least one trigger event is restricted based on the at least one second permissions level; and performing a predefined remedial action in response to determining that the at least one trigger event is not is restricted based on the at least one second permissions level.
However, Stoler teaches determining whether the at least one trigger event is restricted based on the at least one second permissions level; and ([Stoler, para. 0130] “certain predetermined actions [trigger event] may be deemed [determining] sensitive to security [restricted] … Examples may include changing the virtual instance parameters … permissions [based on the at least one second permissions level]”) 
performing a predefined remedial action ([Stoler, para. 0132] “a security policy may determine whether to perform a control action [remedial action]”) in response to determining that the at least one trigger event is not is restricted based on the at least one second permissions level.  ([para. 0131] “Operation 702 … may… [determine] If the virtual instance is … capable of operating [is not restricted] on the host environment … process 700 may proceed to operation 705 and implement a control action for the runtime activity [at least one trigger event] of the virtual instance”; [para. 0130] “predetermined actions … may lead to a privileged configuration inspection in operation 702 … include changing the virtual instance parameters … permissions [based on the at least one second permissions level]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Hausknecht with the teachings of Stoler to include determining whether the at least one trigger event is restricted based on the at least one second permissions level; and performing a predefined remedial action in response to determining that the at least one trigger event is not is restricted based on the at least one second permissions level.  One of ordinary skill in the art would have been motivated to make this modification because when an attacker escalates privileges such that they can gain access to the host system, the attacker can potentially cause widespread damage throughout the entire host system, and these technological solutions control the creation, development, and operations of virtual instances that may have privileged capabilities.  (Stoler, para. 0004; para. 0008)

As per claim 5, Hausknecht in view of Stoler teaches claim 1.  
Hausknecht does not clearly teach wherein the predefined remedial action includes decommissioning at least one of: the policy definition that is configured to cause generation of the computing resource having the first permissions level; or the service principal that is configured to update the computing resource from having the first permissions level to having the at least one second permissions level.
However, Stoler teaches wherein the predefined remedial action includes decommissioning at least one of: the policy definition that is configured to cause generation of the computing resource having the first permissions level; or ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [decommissioning] a virtual instance to proceed [the policy definition] from development into deployment [generation of the computing resource]”)
the service principal that is configured to update the computing resource from having the first permissions level to having the at least one second permissions level. ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [decommissioning] a virtual instance [service principal] to have new or different [updating] dependencies [updating first permissions level to at least the second permissions level – see para. 0104] with other virtual instances [the computing resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Hausknecht and Stoler for the same reasons as disclosed above. 

As per claim 6, Hausknecht in view of Stoler teaches claim 5.  
Hausknecht also teaches wherein the user account that has been utilized to generate the service principal is assigned the at least one second permissions level.  ([Hausknecht, pg. 7, Sec. Runbooks] “It [the user account] generates a webhook [the service principal … requires [is assigned] the Administrative Role [at least one second permissions level] because only Administrators can create users in Azure AD”)

As per claim 7, Hausknecht in view of Stoler teaches claim 1.  
Hausknecht does not clearly teach wherein the performing the predefined remedial action prevents the at least one trigger event from causing at least one of: generation of the computing resource in accordance with the policy definition, or the service principal from updating the computing resource from having the first permissions level to having the at least one second permissions level.
	However, Stoler teaches wherein the performing the predefined remedial action prevents the at least one trigger event from causing at least one of: generation of the computing resource in accordance with the policy definition, or ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [prevents] a virtual instance to proceed [in accordance with the policy definition] from development into deployment [generation of the computing resource]”)
	the service principal from updating the computing resource from having the first permissions level to having the at least one second permissions level.  ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [prevents] a virtual instance [service principal] to have new or different dependencies [updating first permissions level to at least the second permissions level – see para. 0104] with other virtual instances [the computing resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Hausknecht and Stoler for the same reasons as disclosed above. 

As per claim 8, Hausknecht teaches a system comprising: 
identify a policy definition that is configured to ([Hausknecht, pg. 1, Sec. Overview] “Whenever an operation [policy definition] is completed within Azure, an event is generated and kept [identifying] within the Activity Log service") cause generation of a computing resource ([pg. 7, Sec. Runbooks] "a Runbook [policy definition] that will provide [generation] a new account [a computing resource]") having a first permissions level that is different than a second permissions level; ([pg. 7, Sec. Runbooks] "a new [a first permissions level] account and assign it to the Contributor role [second permissions level]"; [pg. 4, Sec. Defensive Approach] “Assigning the Global Contributor role to a user gives that user a great amount of access and execution capabilities [making the ‘new’ permissions level a lower level than the ‘Contributor’ permissions level]”)
determine that another computing resource that is assigned the second permissions level ([Hausknecht, pg. 7, Sec. Runbooks] “Administrators [another computing resource that is assigned the at least one second permissions level] can create users in Azure AD”) has been utilized to generate a service principal ([pg. 8, Fig. 11] “create [generate] … an Azure Automation webhook [a Service Principal]”) that is configured to update the computing resource from having the first permissions level to having the second permissions level; ([pg. 7, Sec. Runbooks] “creating a Runbook that will provide a new account and assign it to the Contributor role when executed”)
identify at least one trigger event that is configured to: ([Hausknecht, pg. 1, Sec. Overview] “Whenever an operation is completed within Azure, an event [trigger event] is generated and kept [identifying] within the Activity Log service")
cause generation of the computing resource in accordance with the policy definition, and ([Hausknecht, pg. 1, Sec. Overview] “Whenever an operation is completed within Azure, an event [trigger event] is generated and kept [identifying] within the Activity Log service")
cause the service principal to update the computing resource from having the first permissions level to having the second permissions level.  ([Hausknecht, Fig. 3; pg. 7, Sec. Runbooks] “a Runbook that will provide a new [the first permissions level] account [computing resource] and assign it [update] to the Contributor role [to having the at least one second permissions level] when executed; a function … generates a Webhook [service principal] ...  which will run the Runbook on demand [causes]")
Hausknecht does not clearly teach one or more processors; and at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors causes the system to perform steps; and in response to a determination that the at least one trigger event is not is restricted based on the second permissions level, performing at least one predefined remedial action prior to an occurrence of the at least one trigger event.
However, Stoler teaches one or more processors; ([Stoler, para. 0197] “a processor of a … computer”)
and at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors causes the system to perform steps; and ([Stoler, para. 0197] “the instructions, which execute via the processor of the computer … may also be stored in a computer readable storage medium that can direct a computer … to function in a particular manner”)
in response to a determination that the at least one trigger event is not is restricted based on the second permissions level, ([Stoler, para. 0130] “certain predetermined actions [trigger event] may be deemed [determining] sensitive to security [restricted] … Examples may include changing the virtual instance parameters … permissions [based on the at least one second permissions level]”) performing at least one predefined remedial action prior to an occurrence of the at least one trigger event. ([para. 0131] “Operation 702 … may… [determine] If the virtual instance is … capable of operating [is not restricted] on the host environment … process 700 may proceed to operation 705 and implement a control action for the runtime activity [at least one trigger event] of the virtual instance”; [para. 0130] “predetermined actions … may lead to a privileged configuration inspection in operation 702 … include changing the virtual instance parameters … permissions [based on the at least one second permissions level]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Hausknecht with the teachings of Stoler to include one or more processors; and at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors causes the system to perform steps; and in response to a determination that the at least one trigger event is not is restricted based on the second permissions level, performing at least one predefined remedial action prior to an occurrence of the at least one trigger event.  One of ordinary skill in the art would have been motivated to make this modification because when an attacker escalates privileges such that they can gain access to the host system, the attacker can potentially cause widespread damage throughout the entire host system, and these technological solutions control the creation, development, and operations of virtual instances that may have privileged capabilities.  (Stoler, para. 0004; para. 0008)

As per claim 12, Hausknecht in view of Stoler teaches claim 8.  
Hausknecht does not clearly teach wherein the predefined remedial action includes decommissioning at least one service principal that corresponds to the policy definition that is configured to cause generation of the computing resource having the first permissions level. 
However, Stoler teaches wherein the predefined remedial action includes decommissioning at least one service principal that corresponds to the policy definition that is configured to cause generation of the computing resource having the first permissions level. ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [decommissioning] a virtual instance [service principal] to proceed [the policy definition] from development into deployment [generation of the computing resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Hausknecht and Stoler for the same reasons as disclosed above. 

As per claim 13, Hausknecht in view of Stoler teaches claim 8.  
Hausknecht does not clearly teach wherein the predefined remedial action includes decommissioning the service principal that is configured to update the computing resource from having the first permissions level to having the second permissions level.
However, Stoler teaches wherein the predefined remedial action includes decommissioning the service principal that is configured to update the computing resource from having the first permissions level to having the second permissions level.  ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [decommissioning] a virtual instance [service principal] to have new or different [updating] dependencies [updating first permissions level to at least the second permissions level – see para. 0104] with other virtual instances [the computing resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Hausknecht and Stoler for the same reasons as disclosed above. 

As per claim 14, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 15, Hausknecht in view of Stoler teaches claim 8.  
Hausknecht does not clearly teach wherein the performing the predefined remedial action prevents the service principal from updating the computing resource from having the first permissions level to having the permissions level.
However, Stoler teaches wherein the performing the predefined remedial action prevents the service principal from updating the computing resource from having the first permissions level to having the permissions level.  ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [prevents] a virtual instance [service principal] to have new or different dependencies [updating first permissions level to at least the second permissions level – see para. 0104] with other virtual instances [the computing resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Hausknecht and Stoler for the same reasons as disclosed above. 

As per claim 16, Hausknecht in view of Stoler teaches claim 8.  
Hausknecht does not clearly teach wherein the performing the predefined remedial action prevents the at least one trigger event from causing generation of the computing resource in accordance with the policy definition.
However, Stoler teaches wherein the performing the predefined remedial action prevents the at least one trigger event from causing generation of the computing resource in accordance with the policy definition. ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [prevents] a virtual instance to proceed [in accordance with the policy definition] from development into deployment [generation of the computing resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Hausknecht and Stoler for the same reasons as disclosed above. 

Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Hausknecht of Stoler as applied to claims 1 and 8 above and further in view of Chen, Mike, “Public preview of new Azure Policy features”, Retrieved from: https://azure.microsoft.com/en-us/blog/recap-on-new-azure-policy-features-in-ignite/, November 20, 2017, pg. 1-6 (hereinafter “Chen”).

As per claim 2, Hausknecht in view of Stoler teaches claim 1.  
Hausknecht in view of Stoler does not clearly teach wherein the policy definition is configured to cause generation of the computing resource, based on a resource template, in response to a result of an existence condition associated with the computing resource.
However, Chen teaches wherein the policy definition is configured to cause generation of the computing resource, based on a resource template, in response to a result of an existence condition associated with the computing resource. ([Chen, pg. 3, Sec. DeployIfNotExist] “With DeployifNotExist, a policy [policy definition] provides a mechanism to automatically deploy [cause generation of the computing resource] a template [based on a resource template] if a specific configuration is not represented [an existence condition associated with the computing resource]”) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Hausknecht in view of Stoler with the teachings of Chen to include wherein the policy definition is configured to cause generation of the computing resource, based on a resource template, in response to a result of an existence condition associated with the computing resource.  One of ordinary skill in the art would have been motivated to make this modification because such a mechanism allows detection of a (malicious) deployment job that runs on behalf of the user who created the resource.  (Chen, pg. 3, Sec. DeployIfNotExist)

As per claim 9, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

Claims 3-4, 10-11 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Hausknecht of Stoler as applied to claims 1 and 8 above and further in view of Mollema, Dirk-jan, “Azure AD privilege escalation - Taking over default application permissions as Application Admin”, Retrieved from https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/, September 16, 2019, pg. 1-7 (hereinafter “Mollema”).

As per claim 3, Hausknecht in view of Stoler teaches claim 1.  
Hausknecht in view of Stoler does not clearly teach wherein: the service principal is a second service principal that has been assigned the at least one second permissions level; and the at least one trigger event corresponds to an action being performed with respect to a first service principal that has not been assigned the at least one second permissions level.
However, Mollema teaches wherein: the service principal is a second service principal that has been assigned the at least one second permissions level; and ([Mollema, pg. 5, Table] a number of Service Principals [second service principal] associated with applications is listed with, for example, Files.ReadWrite.All access [at least one second permissions level]; [pg. 1, para. 2] “the Service Principle is the security object that can actually have privileges in the Azure Directory”)
the at least one trigger event corresponds to an action being performed with respect to a first service principal that has not been assigned the at least one second permissions level. ([Mollema, pg. 5, para. 1] “An Application Administrator/On-Premise Sync Account [a first service principle] … can read and modify directory settings, group membership, user account … by assigning credentials to an existing service principal and then impersonating these applications”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Hausknecht in view of Stoler with the teachings of Mollema to include wherein: the service principal is a second service principal that has been assigned the at least one second permissions level; and the at least one trigger event corresponds to an action being performed with respect to a first service principal that has not been assigned the at least one second permissions level.  One of ordinary skill in the art would have been motivated to make this modification because such a mechanism allows for detection of where an Application Admin or a compromised On-Premise Sync Account could escalate privileges by assigning credentials to applications.  (Mollema, pg. 1, para. 1)

As per claim 4, Hausknecht in view of Stoler and further in view of Mollema teaches claim 3. 
 Hausknecht also teaches wherein the at least one trigger event corresponds to at least one of: a scheduled event being performed with respect to the first service principal, or a user-defined HTTP callback associated with the first service principal.  ([Hausknecht, Fig. 3; pg. 7, Sec. Runbooks] “a Webhook [first service principal] URI [a user-defined HTTP] that can be passed into Execute-Backdoor which will run the Runbook on demand [scheduled event being performed]")

As per claim 10, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 11, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 17, Hausknecht teaches identify ([Hausknecht, pg. 1, Sec. Overview] “Whenever an operation [policy definition] is completed within Azure, an event is generated and kept [identifying] within the Activity Log service") a first service principal that is configured to perform an automated task in response to a trigger event;  ([pg. 8, Fig. 11] “create [generate] … an Azure Automation [configured to perform an automated task] webhook [a Service Principal]”; “a Webhook [first service principal] … will run the Runbook on demand [in response to a trigger event]”)
identify a second service principal that corresponds to a policy definition that is configured to cause generation of a computing resource having a first permissions level in response to the automated task; ([Hausknecht, pg. 7, Sec. Runbooks] "In PowerZure, a function [application/second service principle] … works by creating a Runbook [policy definition] that will provide [generation] a new [first permissions level] account [a computing resource]")
Hausknecht does not clearly teach a system comprising: one or more processors; and at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors, cause the system to perform steps; based at least in part on identifying the instructions, perform at least one predefined remedial action prior to an occurrence of the trigger event.
However, Stoler teaches a system comprising: one or more processors; and ([Stoler, para. 0197] “a processor of a … computer”)
at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors, cause the system to perform steps; ([Stoler, para. 0197] “the instructions, which execute via the processor of the computer … may also be stored in a computer readable storage medium that can direct a computer … to function in a particular manner”)
based at least in part on identifying the instructions, perform at least one predefined remedial action ([Stoler, para. 0132] “a security policy [identifying the instructions – see para. 0131] may determine whether to perform a control action [remedial action]”) prior to an occurrence of the trigger event. [para. 0131] “Operation 702 … may… [determine] If the virtual instance is … capable of operating on the host environment [identifying the instructions] … process 700 may proceed to operation 705 and implement a control action for the runtime activity [trigger event] of the virtual instance”; [para. 0134] “the virtual instance is blocked… prior to deployment [prior to an occurrence]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Hausknecht with the teachings of Stoler to include a system comprising: one or more processors; and at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors, cause the system to perform steps; based at least in part on identifying the instructions, perform at least one predefined remedial action prior to an occurrence of the trigger event.  One of ordinary skill in the art would have been motivated to make this modification because when an attacker escalates privileges such that they can gain access to the host system, the attacker can potentially cause widespread damage throughout the entire host system, and these technological solutions control the creation, development, and operations of virtual instances that may have privileged capabilities.  (Stoler, para. 0004; para. 0008)
Hausknecht in view of Stoler does not clearly teach identify instructions that are configured to cause generation of a connection between the computing resource and a third service principal that is assigned a second permissions level in response to the automated task;
However, Mollema teaches identify instructions that are configured to cause generation of a connection between the computing resource and a third service principal that is assigned a second permissions level in response to the automated task.  ([Mollema, pg. 5, para. 1] “An Application Administrator/On-Premise Sync Account [the computing resource] … can read and modify directory settings, group membership, user account … by assigning credentials [instructions that are configured to cause generation of a connection] to an existing service principal [a third service principle] and then impersonating these applications”; [pg. 5, Table] a number of Service Principals [third service principal] associated with applications is listed with, for example, Files.ReadWrite.All access [a second permissions level]; [pg. 5, para. 2] “you can exploit this by … use[ing] Python for logging in with a service principal password [in response to the automated task, as a Python script is an automated task]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Hausknecht in view of Stoler with the teachings of Mollema to include identify instructions that are configured to cause generation of a connection between the computing resource and a third service principal that is assigned a second permissions level in response to the automated task.  One of ordinary skill in the art would have been motivated to make this modification because such a mechanism allows for detection of where an Application Admin or a compromised On-Premise Sync Account could escalate privileges by assigning credentials to applications.  (Mollema, pg. 1, para. 1)

As per claim 18, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 19, Hausknecht in view of Stoler and further in view of Mollema teaches claim 17.  
Hausknecht further in view of Mollema does not clearly teach wherein the performing the at least one predefined remedial action prevents the trigger event from causing at least one of: generation of the computing resource in accordance with the policy definition, or the service principal from updating the computing resource from having the first permissions level to having the at least one second permissions level.
	However, Stoler teaches wherein the performing the at least one predefined remedial action prevents the trigger event from causing at least one of: generation of the computing resource in accordance with the policy definition, or ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [prevents] a virtual instance to proceed [in accordance with the policy definition] from development into deployment [generation of the computing resource]”)
the service principal from updating the computing resource from having the first permissions level to having the at least one second permissions level.  ([Stoler, para. 0132] “Examples of control actions [remedial action] include … blocking [prevents] a virtual instance [service principal] to have new or different dependencies [updating first permissions level to at least the second permissions level – see para. 0104] with other virtual instances [the computing resource]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Hausknecht, Stoler and Mollema for the same reasons as disclosed above. 

Claims 20 is rejected under 35 U.S.C. 103 as being unpatentable over Hausknecht in view of Stoler and further in view of Mollema as applied to claim 17 above, and further in view of Chen.  

As per claim 20, Hausknecht in view of Stoler and further in view of Mollema teaches claim 17.  
Hausknecht in view of Stoler and further in view of Mollema does not clearly teach wherein the policy definition is configured to cause generation of the computing resource, based on a resource template, in response to a result of an existence condition associated with the computing resource.
However, Chen teaches wherein the policy definition is configured to cause generation of the computing resource, based on a resource template, in response to a result of an existence condition associated with the computing resource. ([Chen, pg. 6, Sec. DeployIfNotExist] “With DeployifNotExist, a policy [policy definition] provides a mechanism to automatically deploy [cause generation of the computing resource] a template [based on a resource template] if a specific configuration is not represented [an existence condition associated with the computing resource]”) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Hausknecht in view of Stoler with the teachings of Chen to include wherein the policy definition is configured to cause generation of the computing resource, based on a resource template, in response to a result of an existence condition associated with the computing resource.  One of ordinary skill in the art would have been motivated to make this modification because such a mechanism allows detection of a (malicious) deployment job that runs on behalf of the user who created the resource.  (Chen, pg. 3, Sec. DeployIfNotExist)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Robbins et al. (US Pub. 2021/0336971) discloses a system for analyzing directory service environment attack paths for an enterprise, which includes attack paths that actors can use to elevate privileges of actions in order to complete their objective.  
Hausknecht, Ryan, “Attacking Azure, Azure AD, and Introducing PowerZure”, Retrieved from: https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a, January 28, 2020, pg. 1-22 discloses that administrators can create a backdoor to create a new user and assign them to the owner role, and then generate a webhook which will output a URI, where the URI can then be passed to execute the backdoor.  
Mollema, Dirk-jan, “I’m in your cloud… reading everyone’s email Hacking Azure AD via Active Directory”, Retrieved from https://dirkjanm.io/assets/raw/TR19-Im%20in%20your%20cloud.pdf, March 20, 2019, pg. 1-90 discloses the problem where an user in Azure AD can create new applications and service principals for these applications where if an admin grants consent to access data by an application, that person can now have inappropriate access(see slide 58), and logging associated with said actions.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493