Sonicwall / SMA & AD group Mebership

We are in the process of trying to reconfigure our Duo 2FA environment / Sonicwall SMA410.

We are currently have the Duo / SMA configured using Radius & a Windows 2019 NPS server.
We currently have the routing setup to route across several offices & also each suer can currently see the remote desktop bookmark for all offices.
We want to be able to restrict access to the bookmark / routes based on AD group membership. So if a user is a member of 1office group they will see the bookmark and have the ability to route & see the bookmark for that office group.
Is there a way to get our AD groups to apply within the radius/duo setup? Radius tagging could be used but this could get very involved as we have 30+ AD groups
Is there a way to pass AD group membership Via Duo to the SMA?

Is NPS already trying to send the group info back but it gets lost at the Duo proxy? Try setting pass_through_all=true in your radius_client section (more info about that option here). Also add that same option to your radius_server_whatever section if you need attributes passed from your SMA to the proxy to be sent to NPS with the access request.