Group Based Filtering - using NPS

Hi All,

I have a requirement, where we need to allow only some of identified AD group members to login to Switch ( SSH or Web).

Without PrivacyIdea, this is Working Perfectly fine. but when we point NPS to freeradius, there is no option to set condition to validate Group member for this Authentication.
problem is, 2FA is Working perfectly fine but no Restrictions to group and all Users can access .

do you have any suggestion.