Issue
The Active Directory Federation Services (ADFS) master key that decrypts ADFS certificates is stored in Active Directory, in the thumbnailPhoto attribute of a contact object located in the CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com container.
If the service account for your managed domain in Adaxes is a member of Domain Admins, it will have the rights to read the DKM master key. Note that Adaxes will never attempt to access the key on its own.
However, users that have the permissions to view contacts in Adaxes may be able to view the contact object where the DKM key is stored. This is especially true if you haven't modified or disabled the built-in Domain user security role that grants every user the rights to view every object in your directory via Adaxes.
Adaxes will not reveal the DKM key value under any circumstances, even if the user viewing the contact object has service administrator-level permissions. The attempt to view the contact will still trigger a Suspected AD FS DKM key read alert though.
Solution
It is recommended to deny the Read permission to your managed domain service account over the CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com container via native AD access control.