Sync Users between different Keycloak instances
I would recommend dedicated "local" Keycloak in each company (with configured user federation to Active Directory). And one "global" Keycloak instance, which will have configured Identity Brokering
to all "local" Keycloak instances. "local" admins will have still full power to manage their users and customize login theme. Users will have to select identity provider from the "global" Keycloak login page or apps may use client-suggested identity provider with kc_idp_hint
query parameter.