Looks like Microsoft doesn't understand the specification that they wrote down themselves: It is a bug if an attacker can take over my entire Microsoft account via NFC. I wonder if Microsoft can make amends for any damage it causes. Credit card companies can do this and that's why some NFC payments are only 1FA.
I agree that it's weird that they fixed it and didn't consider it a security issue.
For the user it looked like it would provide two-factor authentication since the PIN is requested, while in reality it's not verified. Thus, they only provided one-factor security.