The question specifies that a query key (read-only) is compromised and explicitly states the requirement to "ensure that users only have read only access." Admin keys (Primary/Secondary) provide full read-write access and should not be used for client apps, as this violates the principle of least privilege.

To rotate a query key with zero downtime, you must follow this specific lifecycle:

1. Add a new query key: unlike Admin keys which are "regenerated," query keys are created as new items in a list (up to 50 per service).
2. Change the app to use the new key: Update the application configuration to direct traffic to the valid key.
3. Delete the compromised key: Once traffic has migrated, remove the old key to revoke unauthorized access.

Microsoft Learn - Connect to Azure AI Search using API keys:

"Query keys are used for read-only access to documents within an index... You can create up to 50 query keys per service." "The process for regenerating a query key is to delete and then recreate it."

Source: Manage Azure AI Search API Keys

Microsoft Learn - Azure CLI Command Reference (Query Keys):

"Unlike admin keys, query keys are not regenerated. The process for regenerating a query key is to delete and then recreate it."

Source: az search service query-key delete

Microsoft Learn - Security Best Practices:

"If you want to continue using API keys, be sure to always monitor who has access to your API keys and regenerate API keys on a regular cadence." (Context: Rotation involves overlap to prevent downtime).

Source: Security controls for Azure AI Search