We’ve been on Azure for several years, and have mapped custom domains to cloudapp.net using CNAME records as well as mapped to the IP address, since it is issued at the time your VM or compute slot is originally created, and does not change, unless you delete the slot.
For the purpose of issuing certs, you can’t verify control of cloudapp.net domains, because Microsoft owns (and therefore controls) the domain. So, order your own domain, instead, and map it to cloudapp.net. Then, you can verify control for cert issuance. That’s how we do it now.
We are expectantly watching progress of Let’s Encrypt, and look forward to starting testing of adding certs to our non-production environment. We also have a lot of B2B customers who could leverage Let’s Encrypt, and as this gets stable, we’ll definitely look to recommending integration.