diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 5f34cbcba4..5e15f14973 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -273,7 +273,7 @@
                         {
                             "name": "enablePrivateSubnet",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "<b>*New*</b> Deny virtual networks not using private subnets",
+                            "label": "<b>*New*</b> Enforce subnets should be private",
                             "defaultValue": "Audit only (recommended)",
                             "visible": true,
                             "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy if DENY is selected currently.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",