Hey guys,

some time ago I implemented in my company MFA with Azure AD for Remote Access VPN. We are using two Cisco FTD 1140 managed via Cisco FMC in two different main locations. Lets say New York and San Francisco. We also have two VPN profiles for both locations which assign different subnets. So user is connecting to NY_Firepower and selecting User_MFA_NY profile. Same is for SF_Firepower -> User_MFA_SF. And after implementing 2FA with Azure AD for VPN so I added SAML server with two MS Entra apps for each locations. All is working fine. Except assigning correct group policy for users depends on which Active Directory group they have assigned on account. Previously we used RADIUS for authentication and authorization. So for example:
User have IT_Admin AD group and in RA-VPN GP we have IT_Admin_NY and IT_Admin_SF (which have different IP pool assigning - each location VPN have different local IP) and now it only assigning main policy which is selected on RA-VPN Profile.

I have tried to fix it with LDAP Mapping but Cisco is not allowing me to map one attribute to two different policy groups. How can I fix this issue and make that Cisco will assign correct group policy according to AD group?