The reasonable default is transparency about it and 2FA for recovery scenarios. MS does not have to have the keys in the clear, as it is reasonable for any secrets you store.