A customer uses pptp / sstp to a rb1100ahx2. They authenticate with their windows domain user and the mikrotik uses radius to verify their credentials. It works.

However, is there any way to make users that are authenticated by radius use different ppp security profiles? Basically what we want is that the software developers should get ppp ip's in the development ip-range, while regular users still get ip from the lan ip-range. Could this be solved i any other way than making local ppp users for the developers? I would imagine either make the developers member of a developer group and/or a separate organization unit in the domain. But how could I make the mikrotik select security profile depending on such grouping? Is there any setting with the radius server that could control this?

The solution is called Framed-pool. This is a setting that can be configured for a network policy on windows server. You set framed-pool=some name, and create a ip-pool on the mikrotik with the same name.