Which verification method should I choose: SMS or call?
Call is safer, for reading your sms you only need a simple program whereas for monitoring your calls, you need an actual person, thereby increasing the effort needed by a lot.
Reading sms is something you can do on as many phones as you want whereas listening to that many calls at the same time is impossible (unless you're the NSA I guess). Even if you found a way to just record the call and then send it, the programming effort here is much greater and you also need a lot more processing power and bandwidth, once more lowering the chance that you're gonna be caught by it.
edit: I just want to add, of course the other guys talking about your threat model are right. If you leave your phone lying around and people can just take it and listen to the code, of course sms would be better. But then again, if you don't even have a lock on it, it wouldn't matter.
As you can see, yeah, it depends, but if you do have a passcode and you're not leaving your phone lying around, calls are better.
It really will depend on your threat model.
SMS may be easier to sniff, or to be intercepted by an malicious app on your phone. So if you are worried about those kind of attack, it may be the better to use the call option.
However, most phones will not require a device unlock to accept a call, so if you leave your phone unattended, ex on your desk, (or it is stolen) one could use it to get a code, while for an SMS you could lock it. Of course most people nowadays never leave the smartphone unattended, but this is only an example on how defining the threat model is important.
For me, as a SECOND authenticator factor, if I cant choose an OTP generator like Google Authenticator, I use SMS for the sake of not needing to answer calls, that is not always convenient, and also because I do not see SMS sniffing as a real possibility in my usage cases. However, as pointed out on the comments by @cornelinux, Google authenticator is vulnerable to certain attacks on the "secret agreement" phase, so again: define and check your threat model.
Neither. Both SMS and phone calls can be forwarded to a phone of an attacker's choice if that attacker can trick your mobile provider into believing he or she is you. Mobile account hijacking attacks like this aren't extremely common (yet), but they are definitely on the rise.
The better option (as @Jedi briefly mentioned) is to use an authenticator app to generate one-time codes that can be used as a second factor to sign-in to your MS account. (Whether to access Outlook.com or any other consumer Microsoft service.) Information on exactly how to set that up can be found here. In terms of the security of this approach, at worst it is dependent on how easily an attacker can either (1) gain physical possession of your phone and steal the shared secret that the authenticator app uses to calculate one-time codes from the phone's storage or (2) thoroughly compromise the phone via remote attack and do the same. The difficulty involved for an attacker to do either of those things depends quite a bit on the phone's OS, configuration, and hardware security elements. But it is highly likely that, across the run of things, taking this route would make an attacker's job significantly harder than using SMS or in-call audio codes.
(Now, of course, that doesn't necessarily mean that the phone authenticator app approach is better than every other possible authentication technology that now exist out there. A smartcard or hardened USB key approach would likely be more robust, as would a high-security challenge-response mechanism implemented with a dedicated hardware token [example], as would.... But here we're talking about 2FA options that Microsoft Account authentication supports today.)