Your first secured Entra ID backup
in under 10 minutes.

CYBBACK offers two ways to get started. Both unlock the full Entra ID feature set.

Option A — Free trial

1. Open cybback.com/essai-gratuit.
2. Fill in your work email, company and a password. Click Start free trial.
3. Confirm via the verification email.
4. On the trial selection screen, pick Microsoft Entra ID. Your trial workspace is provisioned instantly.

Option B — Paid licence (Stripe checkout)

1. Go to cybback.com/tarifs and pick the Entra ID plan that matches your tenant size.
2. Click Subscribe. Stripe Checkout supports cards, SEPA and invoicing on annual plans.
3. Your licence is active immediately — visible under Account → Subscription.

CYBBACK authenticates against Microsoft Graph using a dedicated app registration with the minimum required permissions. This takes 5 minutes in the Azure portal.

1. Create the app registration

1. Open entra.microsoft.com as a Global Admin.
2. Go to Identity → Applications → App registrations → + New registration.
3. Name it CYBBACK Backup. Account types: Single tenant. Leave redirect URI empty. Click Register.
4. Copy the Application (client) ID and Directory (tenant) ID from the overview page.

2. Grant API permissions

1. In the new app, go to API permissions → + Add a permission → Microsoft Graph → Application permissions.
2. Select read-only permissions for: Directory.Read.All, User.Read.All, Group.Read.All, Application.Read.All, Policy.Read.All, Device.Read.All, RoleManagement.Read.Directory.
3. For restore capability, also add the matching ReadWrite permissions.
4. Click Grant admin consent at the top.

3. Create a client secret

1. Go to Certificates & secrets → + New client secret.
2. Set expiration (24 months recommended) and copy the Value immediately — Azure won't show it again.

4. Paste credentials into CYBBACK

1. Open app.cybback.com/dashboard/entra-backup → Settings.
2. Paste Tenant ID, Client ID, Client Secret. Click Save credentials.
3. CYBBACK runs an authentication test. Green badge = ready.

Backup files are stored on CYBBACK's secure EU infrastructure by default. Add a second layer with client-side encryption: each file is encrypted before it leaves the worker.

1. On the Settings tab of the Entra ID page, scroll to Security options.
2. Toggle AES-256 Encryption ON.
3. Click Save. Applies to new backups; previous backups remain readable.

Want full data sovereignty? Point CYBBACK at your S3-compatible bucket — AWS S3, Scaleway, OVH, Wasabi, MinIO, Backblaze B2, IBM COS. Your data, your provider, your region.

Provision the bucket

1. In your S3 provider, create a private bucket (no public access, versioning recommended).
2. Create an access key / secret key with permissions limited to that bucket.
3. Note your endpoint URL and region.

Configure CYBBACK

1. Open Dashboard → Storage.
2. Select My own S3 storage.
3. Fill the form, click Test connection, then Save.

• Required IAM actions: PutObject, GetObject, DeleteObject, ListBucket.
• Resilience: CYBBACK stores an encrypted snapshot of S3 credentials with each backup. Old backups remain restorable even after you switch providers.

You're now fully configured. Time to run your first Entra ID backup — manually for instant peace of mind, then schedule recurring runs.

Manual backup

1. Go back to the Dashboard tab on the Entra ID page.
2. Click Run backup now. The job appears with status pending, then running.
3. Progress is streamed live: object types fetched, items captured, manifest written.

Schedule automatic backups

1. From Dashboard → Schedules, click New schedule.
2. Service: Microsoft Entra ID. Frequency: Daily / Weekly / Custom (cron).
3. Pick a time window (e.g. 02:00 UTC) and click Save.

Track your backups

• Real-time: the Events page streams every operation across all services via SSE.
• Notifications: success / failure / drift alerts via email, Slack and webhooks.
• Drift detection: alerts when an unusual number of users, groups or apps disappear between two runs — perfect to catch accidental mass deletions.

CYBBACK uses a hybrid restore strategy unique to Entra ID: deleted objects under 30 days old are restored from Microsoft's native recycle bin (preserving SIDs and references); older objects are recreated from the backup with full attribute fidelity.

The 3-step restore flow

1. Selection. Open the backup, browse the 23 object types (Users, Groups, Applications, Policies…), tick what you want to recover. Search by displayName or UPN.
2. Options. Choose your safety net:
   • Dry-run — simulate, no Graph write.
   • Overwrite — re-apply backed-up attributes on existing objects.
   • Target tenant — restore into a different Entra tenant (provide its tenantId / clientId / clientSecret).
3. Execution. A worker picks up the job, restores in the background, reports progress in real-time. You can close the tab — completion is emailed.

Best practices

• Always start with a dry-run — especially in production tenants.
• Restore users early. Group memberships, role assignments and license bindings depend on user objects existing first. CYBBACK orders the restore queue automatically.
• Cross-tenant restore requires an app registration with admin-consented permissions in the target tenant.