As someone in the security industry, I find it amazing how much we've told people (in awareness training) to "not click things on the thing-clicking machine™" while simultaneously having processes like password resets that require doing it.
Fake password reset links are also a common attack vector, so yes people are told to be also cautious of those.
Otherwise it's been a while I haven't seen an reset link instead of a reset code. Copy/pasting is not much of a hassle, and it works even if the mail is checked on a different device.
The only real link I had to deal with were app callbacks that were explicitly labeled as such (with instructions from the app to explain what to expect)
Be careful of those as well, but in this case it's quite simple: password reset links should only be sent when the user explicitly requests them; of you receive an unexpected email asking you to reset your password, don't click the link.
Ok. So now my users get random login links for sites we may or may not use… sure, you Silicon Valley Cool Guy aren’t going to fall for it, but my blue collar Detroit UAW guys might.
Click that stupid magic link for a service we use, and they’re asked for their Office 365 credentials… all the while I’m telling them not to click links in emails.
The point is not to click suspicious links. If you know a magic link was sent, it's not suspicious.
That being said, I hate them just for the delay.