Does adding MFA not protect you against this? If you are secured by a TOTP on top of your password, it should not matter if they manage to reset your password.

Somewhat, but imho the Microsoft MFA is also full of similar flaws.

As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.

However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.

It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"

Imho it's maddening how bad it is.