Required roles to enable a device to use ActiveSync on MS365
Solution 1:
Azure AD admin roles is one thing, but Exchange Online has additional (internal, specific) Role Based Access Control.
You need to make sure your admin account has the 'Mail Recipients' Admin Role in Exchange Online.
It is contained in either Organization Management' or 'Recipient Management' role groups.
Here is how to assign it.
How to check required permissions for a cmdlet in Exchange Online Powershell:
Get-ManagementRole -Cmdlet Set-CASMailbox -CmdletParameters ActiveSyncEnabled