One would hope that plaintext passwords aren't fed through a long pipeline of legacy systems. As soon as it's hashed, which is the first thing you should do, length is no longer an issue.
Microsoft have over five different places you can change a password (all of which conform to the same set of business rules). That's the issue, it isn't a pipeline issue, it is that Microsoft consolidated tons of different services under a Microsoft Account so have a ton of redundant ways of doing something.
Microsoft Accounts/.Net Account/Passports, are a huge mess in general that Microsoft need to fix. Password length restrictions still may not go away even if they did (for backwards compatibility reasons with older software/hardware still around).
Oh don't get me started about this mess. I use Skype for the browser rather than any of the installable clients. There are days when it's simply not possible to login when you're redirected around that whole MS "live login" thing.
Every other time I've logged into to a MS site (say my dev account for VS Community) some other login for something else run by MS breaks...then I have to go hunting down cookies to delete. I've wasted tens of hours of my life over the past few years on this crap.
Yes, but you might have other legacy systems that implemented the validation rules for passwords. Changing these rules would prevent people from logging into legacy systems if they signed up via a newer flow with fewer restrictions.
