Incorrect Identification of Local Admin in Defender for Endpoint

Hello everyone,

I am facing an issue with Microsoft Defender for Endpoint where a user is incorrectly identified as having local admin rights. In the Devices menu of the workstation in Defender, the user is tagged as a local admin. This is also confirmed when searching in Advanced Hunting with the following query:

DeviceLogonEvents | where LogonType == "Interactive" and IsLocalAdmin == true and AdditionalFields contains "\"IsLocalLogon\":true"

However, after checking the user's workstation, I found that the user is not part of the local or domain administrator group. The user cannot perform privilege escalation. It is worth noting that the user has another domain account with admin rights.

Additionally, the user's workstation has been AAD joined with his account, so he may have had admin rights on the computer at one time, but not anymore.

Has anyone encountered a similar issue or have any suggestions on how to resolve this?

Thank you!