Apple - Device Enrollment program

You can use DEP and restore from an iCloud backup. That's what we have here and it works fine. It's also worth running all older devices through configurator (as and when you have hands on and can wipe) so you can add them to DEP.

What about this unlock token.
If I have apple configurator 2 installed on a mac as far I can read the unlock code is saved in the keychain. So only way to keep those token is to general backup this mac book ?
Or is there anyway a different way with somekind of "online" storage of those tokens. Would be best if they would be connected to company dep apple ID

You mean the Activation unlock code?

Once the device is in DEP you're good to go.

So user has old device, backs up to iCloud.

User gets new phone and restores from iCloud backup as part of the setup options. Following that the MDM enrol screen appears (DEP) and the user logs in to the MDM server and grabs policies etc.

The unlock token for Activation Lock is generated then stored and managed by the MDM server - Jamf or whatever you use. To turn off activation lock you select the device in MDM of choice and send the unlock command.

You can use Configurator but if the device is enrolled via DEP and you have supervision enabled on your MDM server you're all sorted.

You should definitely be using a standalone company Apple ID for the DEP - don't use this for anything else, especially the App Stores.

Al