diff --git a/services/graph/pkg/config/parser/parse.go b/services/graph/pkg/config/parser/parse.go
index 7223df008..eb400899b 100644
--- a/services/graph/pkg/config/parser/parse.go
+++ b/services/graph/pkg/config/parser/parse.go
@@ -3,6 +3,7 @@ package parser
 import (
 	"errors"
 	"fmt"
+	"slices"
 
 	"github.com/go-ldap/ldap/v3"
 
@@ -42,6 +43,10 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}
 
+	if !slices.Contains([]string{"ldap", "cs3"}, cfg.Identity.Backend) {
+		return fmt.Errorf("'%s' is not a valid identity backend	for the 'graph' service", cfg.Identity.Backend)
+	}
+
 	// ensure that the "cs3" identity backend is used in multi-tenant setups
 	if cfg.Commons.MultiTenantEnabled && cfg.Identity.Backend != "cs3" {
 		return fmt.Errorf("Multi-tenant support is enabled. The identity backend must be set to 'cs3' for the 'graph' service.")
diff --git a/services/graph/pkg/config/parser/parse_test.go b/services/graph/pkg/config/parser/parse_test.go
index 0d0ee61ed..fdb421fec 100644
--- a/services/graph/pkg/config/parser/parse_test.go
+++ b/services/graph/pkg/config/parser/parse_test.go
@@ -60,4 +60,10 @@ var _ = Describe("Validate", func() {
 		})
 	})
 
+	It("rejcts a setup with an invalid identity backend", func() {
+		cfg.Identity.Backend = "invalid-backend"
+		err := parser.Validate(cfg)
+		Expect(err).To(HaveOccurred())
+		Expect(err).To(MatchError(ContainSubstring("is not a valid identity backend")))
+	})
 })