Microsofts Authenticator App allows backups of the MFA secrets on iOS at least. As far as I understood, it does the backup of the secrets to iCloud and requires a separate microsoft account (o365 won't do) to store an encryption key. So an attacker would need to breach both accounts.