Thank you Marvin for answer.

So we have set up RADIUS on Windows Server machine with Network Policy Server. On FMC we have added RADIUS server pointing to this Windows Server. Previously, before implementing 2FA, we had authentication also for RADIUS same as for authorization and Accounting. 

So I made a test. I kept authentication server to SAML and I selected authorization server to our RADIUS and of course group policy for this default one which I mention before. But same issue. Instead of getting VPN settings like IP pool, DNS server split/full tunneling form group policy based on his group in AD, it used this default DfitGrpPolicy

Have you checked the RADIUS server logs or a packet capture to confirm the incoming authorization requests and associated replies? A view of the actual request/reply traffic will usually highlight what might be wrong with the setup.

Like I checked RADIUS log there are only entries about connecting to domain controller. There are no errors or informations regarding authorization of VPN users. Can you please tell me how I can do this packet capture for RA-VPN to check replies and path from login - authentication with 2fa - autherization with radius - back to user

I think I found a reason. In remote access and Advanced tab we have selected "Use authorization server (Only for RADIUS or Realm) but we have selected SAML for Azure MFA. And I think thats why it won't work. So Is there any option to use authorization server here to authorize users based on their AD group to access resources and VPN settings?

Yes, as I had noted in my 21 March reply, you would use SAML only for Authentication and RADIUS only for Authorization.

Yes, I understand that. And I have selected Authentication method only for SAML and to our Azure AD SAML app and also I selected authorization to our RADIUS server but it didn;t worked like I wrote. But I notice a option that is saying Authorization server (only for RADIUS or Realm). Attached screenshots. So like I understand authorization server I can only use with RADIUS or Realm auth method? Or am I wrong? If yes how I can "tell" VPN to additionaly authorize user with RADIUS? Even if I have selected it in RA_VPN Profile settings?

Also I checked RADIUS logs and I don't see any information about users authorization. Only that radius succesfully connected to domain controler and thats it

The authorization server setting you showed should send a RADIUS Authorization request for any SAML-authenticated user who is using that connection profile. (Note the second setting you showed is only for IP Address Assignment.)

You can capture the traffic on your VPN headend to the RADIUS server using the packet capture troubleshooting tool on the firewall (or with Wireshark on the RADIUS server).

I will check packets. Also I notice when I wanted to enable previous VPN profile with radius, like we had previously. And there is same issue even it is same settings. No authorization via radius. Including IP assigning, DNS and full/split tunneling. So there is definetly something wrong with radius connection. Or it is some kind of bug, we have few of them recently or really some issue with radius connection even if I can ping without any issues from FTD