Only one key is needed at a time. You are getting two keys so that you can expire a key without having any system downtime.
For example, you want to replace your primary key. The procedure is:
- Configure your service or application to use the secondary key.
- Deploy or ship it to your customers.
- Regenerate the primary key.
- (Optional) Reconfigure your service to use the new primary key.
If there was only one key at a time, your service would be down while you did the key replacement.
Good practice is to replace your keys on a regular basis (every 6 months or whatever is appropriate based on the sensitivity of your data). You should also replace keys when anyone who has access to the keys leaves your business or team. Finally, you should obviously replace them if you believe they have been compromised in some way, or accidentally written to a log or posted to a public GitHub repo.
Both the primary and secondary keys can be regenerated in the Azure portal. Select your subscription, and then the Keys pane. There are two buttons at the top of the keys pane, to renew either one of the keys. Be careful not to renew the key for your currently deployed app or service - there is no way to get your old key back once you renewed it. There is also no option to move the same key from one Azure account to a different one.
Thanks to Mike Goodwin for elegantly answering a similar question on Stack Overflow.