diff --git a/authentik/core/models.py b/authentik/core/models.py
index 029a51895..b144d4761 100644
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -143,21 +143,25 @@ class User(GuardianUserMixin, AbstractUser):
     @property
     def avatar(self) -> str:
         """Get avatar, depending on authentik.avatar setting"""
-        mode = CONFIG.raw.get("authentik").get("avatars")
+        mode: str = CONFIG.y("avatars", "none")
         if mode == "none":
             return DEFAULT_AVATAR
+        # gravatar uses md5 for their URLs, so md5 can't be avoided
+        mail_hash = md5(self.email.encode("utf-8")).hexdigest()  # nosec
         if mode == "gravatar":
             parameters = [
                 ("s", "158"),
                 ("r", "g"),
             ]
-            # gravatar uses md5 for their URLs, so md5 can't be avoided
-            mail_hash = md5(self.email.encode("utf-8")).hexdigest()  # nosec
             gravatar_url = (
                 f"{GRAVATAR_URL}/avatar/{mail_hash}?{urlencode(parameters, doseq=True)}"
             )
             return escape(gravatar_url)
-        raise ValueError(f"Invalid avatar mode {mode}")
+        return mode % {
+            "username": self.username,
+            "mail_hash": mail_hash,
+            "upn": self.attributes.get("upn", ""),
+        }
 
     class Meta:
 
diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml
index 061e2139d..fe5056e7f 100644
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@@ -50,12 +50,12 @@ outposts:
   # %(build_hash)s: Build hash if you're running a beta version
   docker_image_base: "ghcr.io/goauthentik/%(type)s:%(version)s"
 
-authentik:
-  avatars: gravatar  # gravatar or none
-  geoip: "./GeoLite2-City.mmdb"
-  # Optionally add links to the footer on the login page
-  footer_links:
-    - name: Documentation
-      href: https://goauthentik.io/docs/
-    - name: authentik Website
-      href: https://goauthentik.io/
+avatars: env://AUTHENTIK_AUTHENTIK__AVATARS?gravatar
+geoip: "./GeoLite2-City.mmdb"
+
+# Can't currently be configured via environment variables, only yaml
+footer_links:
+  - name: Documentation
+    href: https://goauthentik.io/docs/
+  - name: authentik Website
+    href: https://goauthentik.io/
diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md
index 5668ce052..6d987c3b3 100644
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@@ -104,8 +104,16 @@ Defaults to `info`.
 
   Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`.
 
-### AUTHENTIK_AUTHENTIK
+### AUTHENTIK_AVATARS
 
-- `AUTHENTIK_AUTHENTIK__AVATARS`
+Configure how authentik should show avatars for users. Following values can be set:
 
-  Controls which avatars are shown. Defaults to `gravatar`. Can be set to `none` to disable avatars.
+- `none`: Disables per-user avatars and just shows a 1x1 pixel transparent picture
+- `gravatar`: Uses gravatar with the user's email address
+- Any URL: If you want to use images hosted on another server, you can set any URL.
+
+  Additionally, these placeholders can be used:
+
+   - `%(username)s`: The user's username
+   - `%(mail_hash)s`: The email address, md5 hashed
+   - `%(upn)s`: The user's UPN, if set (otherwise an empty string)