I seriously doubt that this is the case (though I have no visibility into Microsoft account auth). Most likely, there was some poor design choice years ago (such as the one you described) that has been corrected, but the effects its caused haven't been fixed through the codebase. e.g. I would not be surprised if the code contains something like this:

  struct user_auth
  {
    char username[64];
    char pw[16]; // TODO: Allow longer passwords
    //...
  };

  bool authenticate_user(user_auth* ua);

This kind of code would limit passwords to 16 characters, but would be irrelevant to how passwords are currently hashed or stored.