Hi @muneeb.ali07
I assume you want to authorise the users when connecting to a VPN using AnyConnect? If you are using ISE, you would create different authorisation rules using AD groups as conditions. E.g.
What kind of integration of AnyConnect and Umbrella are you looking for? There is the AnyConnect Umbrella module, which is integrated into the AnyConnect client, running ASA/FTD makes no difference to AnyConnect. If off-site and not connected to the VPN tunnel, DNS requests would go direct to Umbrella. If on the tunnel then the DNS requests are tunneled to the internal DNS server.