No I said the email 2fa is a backup, I don't know if you've ever tried to log into an account with 2FA enabled but you get the choice to set up multiple ways to recover your account if you can't access it by the usual methods, a secondary email is one that's verified, an SMS is another as are backup codes presented to you when you enable 2FA. Certainly this is the case for Google accounts. There is no "2nd 2fa app" and I'm quite puzzled where you got that idea.
It's simple If your account password for a service in your 2FA app has its password found out by someone, they won't be able to get into it. If your MS account password is known by someone else, they won't be able to recover your 2FA accounts after installing MS Authenticator because the initial steps to add the MS account via 2FA into the app have not been completed. They will hit a dead end. If you cannot access your MS 2FA app because you lose your phone, you simply use the backup options to get back into your MS account, re-enable 2FA once you've got the replacement phone and have installed the Authenticator app, then restore the backup.
At no point in any of this can anyone other than you get into the Authenticator and start 2FAing your accounts to get in unless you divulge your backup codes or something equally silly like that.