The point of the CLOUD Act was to say that if you are a company in the US you can't ignore an order to turn over a copy of data you control just because you happen to have stored that data with a third party storage provider that is not in the US.

It doesn't matter that the third party storage provider is not under US jurisdiction because the US government isn't trying to compel the third party storage provider to do anything. They are trying to compel the US company to access its own documents that it stored with that third party, using the same mechanisms the US company normally uses when it wants to access its data.

From the third party storage provider point of view there is no difference between the US company retrieving the data because it wants to do something with it itself or the US company retrieving the data because they are being compelled to by law enforcement.

This is really just clarifying that the rules for electronic documents are not very different from the rules for physical documents. If I am in the US and own a document that a US court orders me to produce a copy of I'm not going to be able to get out of that by telling them that the document is in a filing cabinet in a storage unit I rent in Canada or Mexico. No, they are going to order me to either go get that document or have someone go get it for me and give it to the court.

If it didn't work this way every US company that has any documents they think might get them in trouble if they are ever investigated would rent some storage space outside the US, physical space if the documents are on paper and cloud storage space if they are electronic, and store everything there. Boeing for instance would have all its information about the 737 MAX outside of the US. Tesla would have everything related to full self-driving outside the US. Everyone would keep HR records outside the US to make it harder for plaintiffs if the company is ever sued over alleged discrimination.

There's a critical nuance that you're ignoring, which is whose data is being stored. In the incident in question, it wasn't Microsoft's data. It was the data of a customer of Microsoft. You're treating several different scenarios as "data controlled by Microsoft," but there are sharp distinctions between Microsoft's own HR records, vs an email belonging to one of Microsoft's customers.

US law doesn't distinguish these scenarios very much because of the Third Party Doctrine, where data given to a third party has no expectation of privacy. But this is a view rather particular to the US not shared by much of the rest of the world, and certainly not by GDPR (or its predecessors). One way or another, the CLOUD Act is still basically saying that US legal doctrine applies to data stored in other jurisdictions. And GDPR is stating, correctly, that this doctrine is not compatible with EU data privacy obligations. EU policy is very much the opposite of the Third Party Doctrine (and the winds are slowly turning against it in the US as well), and third-party data controllers have positive obligations to safeguard the privacy of data given to them.

Given this scenario, I don't see the nightmare scenario you're posing actually manifesting. EU data protection laws do nothing to curtail Microsoft handing over Microsoft's data. There's just data that Microsoft physically stores which they is not legally theirs.