diff --git a/.env.example b/.env.example
index fb9eba2506..b56ba20d05 100644
--- a/.env.example
+++ b/.env.example
@@ -181,8 +181,12 @@ LIGHTNING_LNBITS_API_KEY=
 LIGHTNING_LNBITS_LNURLP_URL=
 LIGHTNING_LND_API_URL=
 LIGHTNING_LND_ADMIN_MACAROON=
-# Path to the live LND TLS cert file on disk (mounted into the container)
+# Path to the live LND TLS cert file on disk (mounted into the container).
+# Takes precedence over LIGHTNING_API_CERTIFICATE when set.
 LIGHTNING_API_CERTIFICATE_PATH=
+# TLS certificate for the LND connection (inline PEM, <br> as line separator).
+# Only used when LIGHTNING_API_CERTIFICATE_PATH is not set (e.g. Azure).
+LIGHTNING_API_CERTIFICATE=
 
 MONERO_WALLET_ADDRESS=
 MONERO_NODE_URL=
diff --git a/src/config/config.ts b/src/config/config.ts
index b97bfd2d2b..0c75396d2b 100644
--- a/src/config/config.ts
+++ b/src/config/config.ts
@@ -1287,11 +1287,14 @@ export class Configuration {
 
 function readCert(): string | undefined {
   const path = process.env.LIGHTNING_API_CERTIFICATE_PATH;
-  if (!path) return undefined;
+  if (path) {
+    // Path is set: read the live LND cert from disk and let a missing/unreadable file throw,
+    // so a broken mount surfaces immediately instead of being masked by a stale fallback.
+    return readFileSync(path, 'utf8');
+  }
 
-  // Path is set: read the live LND cert from disk and let a missing/unreadable file throw,
-  // so a broken mount surfaces immediately instead of being masked by a stale fallback.
-  return readFileSync(path, 'utf8');
+  // Fallback for environments without a cert file mount (e.g. Azure App Service).
+  return process.env.LIGHTNING_API_CERTIFICATE?.split('<br>').join('\n');
 }
 
 function splitWithdrawKeys(value?: string): Map<string, string> {