I know. But yes I was thinking that the password still has to go through UIs (Web & Native), be sent over the network and read by the server and only than can it be hashed and compared to the stored hash.

I agree it sounds weird especially since I guess everything is done on top of .NET and JS. Neither of which is likely to suffer from buffer overflows nor would whatever protocols they use have problems transporting large strings with non-ASCII chars. And I don't any other technical problems that might cause.

But there has to be a reason. I guess it's possible someone was overzealous or screwed up. Maybe it was because it would be too hard to type it on an Xbox? Doesn't sound very plausible though.

I doubt that MS is doing password hashing wrong - it's not hard to begin with and they probably learned their lesson from the NT days when they implemented p.hashing poorly and it led to the NT passwords being easy to brute force.