I had the very same problem. Someone with an IP-address from California (around Los Angeles) tried to make me approve a login-request. Given that I have not been to California, and I did not use a VPN to pretend to be there, those attempts were definitely not from me.
After that guy tried this twice within a couple of days in between, I decided to fix this security hole I had been very unhappy with from the very beginning. After all, I started using the Authenticator app to have 2-Factor-Authentification for additional security and not a less secure but more convenient 1-Factor-Authentification.
Before I start describing my workaround: Some here suggested autofill is the cause of the problem. I can assure you that this is most definitly not the case. I have logged in from many different devices and virtual machines, some could not possibly know my password. The problem is that if you add the MS-Authenticator app as a login option, you are no longer being asked for your password. You get straight that prompt on your phone and that's it. Microsoft does not allow you to disable that behavior.
Here is the workaround:
Add the MS account to the MS Authenticator app if not already done so, then open the entry for the MS account. There you will find an option called "Update Security Info". Click on it. Remove the authenticator app from the list of log-in options. (Alternatively, you can do the removal part using a browser).
Once you have removed the app from the log-in option list, you will still find the entry in the MS Authenticator-app. While you will no longer get those sign-in requests and have to use your password, that entry will also not do anything else. That one-time password code is only for show. All the 2-FA will be done using your alternative email or text messages send to your phone.
But you will need this otherwise useless entry if you want to enable or keep enabled sync in the authentificator app.
If you prefer not to use sync for security reasons, do not add the account to the MS app and if you have already done so, follow the steps above, then disable backup if enabled and remove the useless entry.
If you are like me, you do not wnat your security codes to be send via alternative email or text message but use the damn authentifcator app. To achieve this, go to your MS account using a browser. Preferably, use a PC so you can use your phone to scan a QR code from the PC's screen.
Once logged in your account, go to Security -> Advanced security options. There you will find an entry "Ways to prove who you are". That's exactly the place you have removed the Authentificator app from. Now we add it back but with a trick. Press on the "+ Add new way to sign in or verify" button. Select "Use an app". On the setup screen DO NOT press on "Get it now". Very important. Press on the blue hyperlink above saying "set up a different Authenticator app". Press on that and follow the instructions. The trick is, use the MS Authentificator app anyways. The QR code will work with it.
Once you are done, you will have a second MS Account entry for the same account (if you use sync). That second entry has working one-time passwords that can actually be used for 2-FA.
Making you jump through all those hoops shows that MS really does not want you to use your passwords anymore but it is still possible if you know how.
Hope you are finding this helpful.